ClawHub

CatalystWatch

v0.0.2

Monitor and analyze market-moving catalysts including earnings, FDA decisions, economic data releases, and corporate events

0· 405·0 current·0 all-time
byCollier King@collierking
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to monitor market catalysts and only requires a single CATALYSTWATCH_API_KEY, which is proportionate to that purpose. However, the package has no homepage or source information and an unknown owner ID, making provenance and trustworthiness unclear.
Instruction Scope
SKILL.md is instruction-only and stays within the expected scope (querying an external catalyst service using an API key). It is high-level and does not instruct the agent to read local files or other credentials. The instructions are vague about endpoints, alerting mechanisms, and what exact data is sent, which grants the agent broad discretion at runtime.
Install Mechanism
No install spec and no code files — lowest-risk delivery method. Nothing is written to disk by the skill itself. The remaining risk comes from network calls to an external API (expected for this type of skill).
Credentials
Declared requirement is a single API key (CATALYSTWATCH_API_KEY), which is appropriate. SKILL.md also mentions an optional CATALYSTWATCH_WATCHLIST env var but that optional var is not listed in the declared requires.env metadata — a minor inconsistency. The skill does not declare what permissions or scopes the API key should have, so you cannot verify least-privilege.
Persistence & Privilege
always is false, there is no install or config path access, and the skill does not request system-level persistence. Autonomous invocation by the agent is enabled (default) — expected behavior for skills.
What to consider before installing
This skill appears to do what it says and only asks for one API key, but there are some checks you should do before installing: - Verify the provider: ask for the service homepage, API docs, and privacy/TOS to confirm where requests go and how data is handled. - Limit the API key: create a scoped key with the minimum permissions and avoid reusing keys from other services (do not supply brokerage or cloud credentials). - Confirm the optional env var: ensure CATALYSTWATCH_WATCHLIST (if used) won’t cause the agent to send sensitive internal watchlists unless you intend that. - Test safely: try with a read-only or rate-limited test key and monitor outgoing network requests to see endpoints and data payloads. - If you need stronger assurance, prefer skills with published source/homepage and verifiable ownership.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xtv0jcznw29w3xqv51kzrd81ne4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCATALYSTWATCH_API_KEY
Primary envCATALYSTWATCH_API_KEY

Comments