ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Risk Manager

v1.0.0

Use when user asks about Monitor portfolio risk, R-multiples, and position limits. Creates hedging strategies, calculates expectancy, and implements stop-los...

0· 23·0 current·0 all-time
by@cry779
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md content aligns with the stated purpose (portfolio risk, R‑multiples, hedging, VaR, etc.). However, metadata mismatches are present: the registry lists ownerId kn7dv77..., slug openclaw-risk-manager and author/owner in files differ ( _meta.json ownerId kn71ww... , skill.json author 'sickn33', identifier 'risk-manager'). These inconsistencies in provenance and naming are unexpected and should be verified.
!
Instruction Scope
Instructions themselves are narrowly scoped to risk management and do not request system files, environment variables, or network endpoints. BUT the SKILL.md tells the agent to 'open resources/implementation-playbook.md' for detailed examples — that file is not present in the manifest. Referencing a non-existent internal resource is a sign of incomplete or sloppy packaging and could indicate missing implementation that should be reviewed before use.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. This minimizes direct filesystem or network install risk.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The runtime instructions do not ask for secrets or unrelated environment data, so declared access is proportionate to its purpose.
Persistence & Privilege
always is false (not force-included). Model invocation is allowed (default), which is normal for a skill of this type. The skill does not request persistent system modifications or cross-skill config access in the instructions.
What to consider before installing
This skill's content is coherent for a risk manager (calculations, hedging advice, R‑multiples), but there are red flags in the packaging and provenance you should resolve before trusting it: 1) Verify the publisher/owner — the ownerId in the registry does not match _meta.json and the skill author strings differ. 2) Ask for or require the missing resource 'resources/implementation-playbook.md' that SKILL.md references, and review it before enabling the skill. 3) Because this is instruction-only, it cannot do hidden network installs, but confirm there are no hidden code files or later updates that add installers or requests for credentials. If you cannot confirm the source or obtain the missing files, treat the skill as untrusted and avoid installing it in production environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fc2gj43gakkd0gxm4dga89x844bv1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments