ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Medici Investments Pack

v1.0.0

Position management and market monitoring tools for active traders. Includes risk-based position sizing (fixed fractional, ATR, Kelly Criterion) and a quick...

0· 69·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, and SKILL.md consistently describe position sizing and a market pulse monitor. The described Python deps (yfinance, pandas) are plausible for this functionality.
Instruction Scope
SKILL.md is minimal and stays on-task. It does not ask the agent to read unrelated files or credentials, but it delegates runtime behavior to two named subskills (medici-investments-position-sizer-dv and medici-investments-pulse-dv) which are not included in this package.
!
Install Mechanism
No install spec is provided in the package; the Quick Start tells users to run 'clawhub install' for two subskills. Because those subskills are fetched at install time from the registry (not present here), that fetch could pull arbitrary code/packages — there is no provenance, homepage, or source repo listed to verify what will be installed.
Credentials
The skill declares no required environment variables, credentials, or config paths. That matches the SKILL.md and README which imply use of public market data (yfinance) and local calculations.
Persistence & Privilege
The skill is not marked 'always' and uses default model invocation; it does not request system-wide privileges or modify other skills. No persistence-related flags are present.
What to consider before installing
This pack itself is just an index/manifest and appears consistent with its stated purpose, but it references two subskills that are not included. Before installing or letting an agent auto-install them, do the following: (1) inspect the subskills' source code or their registry pages to see exactly what will be installed; (2) verify where 'clawhub install' fetches packages from (registry, git repo, PyPI) and review those upstream packages; (3) run installs in an isolated environment or sandbox and review network activity during first use; (4) confirm any Python packages (yfinance, pandas) are from official PyPI releases and pinned to safe versions; (5) be cautious if the subskills later request credentials or access to private APIs — these would be unnecessary for yfinance-based read-only market snapshots. If you can't review the subskills' code or provenance, treat the install as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk978w8dmjpcec3z51bkyg6hrdd83evva

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments