ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Medici Investments — Market Pulse Monitor

v0.1.0

Provides a quick, high-level overview of the market's current state.

0· 54·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise a runnable market snapshot. But the package contains no executable, no scripts, and no install instructions in SKILL.md. README references python scripts (scripts/market_pulse.py) and pip packages (yfinance, pandas), yet those files and dependency declarations are absent. The declared requirements (none) don't match the claimed implementation.
!
Instruction Scope
SKILL.md instructs usage via a CLI command ('medici-investments pulse') but provides no guidance on where that binary comes from. The README suggests fetching market data via yfinance (an external network call to Yahoo Finance), but the runtime instructions do not explicitly enumerate network/data endpoints or how the agent should obtain the required scripts. The instructions are vague and grant broad discretion (agent expected to 'run' something that isn't present).
Install Mechanism
There is no install spec (lowest install risk). However, README suggests installing Python dependencies via pip and running local scripts; since those files are not packaged, a user would need to obtain code from an unspecified source. The lack of a clear, tracked install source is an operational inconsistency (not an explicit high-risk download, but a red flag).
Credentials
The skill requests no environment variables or credentials and README indicates no API keys required (uses free Yahoo Finance via yfinance). That is proportionate to the stated purpose. The only implicit external access is internet connectivity for yfinance.
Persistence & Privilege
No always:true flag, no install-time persistence requested, and the skill does not claim to modify agent or system configurations. User-invocable and agent-autonomous invocation are default and not by themselves problematic here.
What to consider before installing
This skill, as packaged, is incomplete: it promises runnable scripts and Python dependencies but includes no code or install instructions. Before installing or using it, ask the publisher for the source code or a proper install package (or for a link to a trusted repository/release). If you plan to run it, verify the scripts (scripts/market_pulse.py) yourself, and only install dependencies from trusted sources. Be aware that the implementation likely fetches market data over the Internet (yfinance/Yahoo); ensure you are comfortable with outbound network access and that no hidden credentials or unexpected endpoints are introduced. If the publisher cannot supply code or a trustworthy origin, avoid installing or running this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977cg3ej39kyq7yxjkdey575h83cgpq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments