Finance Radar
v1.1.0Stock and cryptocurrency analysis powered by Yahoo Finance data. Use when a user wants to: (1) Analyze stocks or crypto prices/fundamentals, (2) Track invest...
⭐ 1· 3.5k·28 current·32 all-time
by@elevo11
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Yahoo Finance analysis + billing) aligns with the included scripts (analysis, scoring, watchlist, portfolio, billing). However the registry metadata lists no required environment variables while SKILL.md and scripts clearly require SKILLPAY_API_KEY for billing; this mismatch is unexplained and an incoherence to surface to users.
Instruction Scope
SKILL.md instructs the agent to run included Python scripts and to call billing first. The scripts perform network calls (yfinance via pip-installed package and SkillPay.me HTTP API), read/write JSON under ~/.openclaw/workspace/finance-radar/data, and may install dependencies at runtime. SKILL.md was flagged for unicode-control-chars (possible prompt-injection attempt); while the code itself looks finance-related, the SKILL.md contains injection signals that warrant manual review.
Install Mechanism
There is no formal install spec (instruction-only), but the scripts call subprocess to pip-install 'yfinance' on demand. Dynamic pip installs are common but do fetch code from the network at runtime (and may pull transitive dependencies). This increases runtime attack surface compared to a bundled dependency list.
Credentials
The only environment secret referenced in the instructions/code is SKILLPAY_API_KEY (used by scripts/billing.py). That is proportionate to the described billing feature, but the registry metadata not listing any required env vars is inconsistent. No unrelated credentials are requested, which is good, but the missing metadata entry is a red flag.
Persistence & Privilege
The skill does not request special platform privileges and 'always' is false. It writes to a per-skill directory under the user's home (~/.openclaw/workspace/finance-radar/data) for portfolio/watchlist CSV/JSON — expected for this functionality. The skill can be invoked autonomously (platform default) but that alone is not flagged.
Scan Findings in Context
[unicode-control-chars] unexpected: The pre-scan flagged unicode control characters in SKILL.md which can be used for prompt injection or to obscure content. This is not expected for a straightforward finance skill and should be manually inspected in the raw SKILL.md text to confirm there are no hidden instructions or malicious manipulations.
What to consider before installing
Key things to consider before installing:
- Metadata mismatch: the registry lists no required env vars but SKILL.md and billing.py require SKILLPAY_API_KEY. Confirm whether you must supply an API key and whether you trust the SkillPay.me endpoint before providing credentials.
- Billing: billing.py will call https://skillpay.me and charge 0.001 USDT per call; do not provide your SKILLPAY_API_KEY to an untrusted skill or environment.
- Dynamic installs: the scripts auto-install 'yfinance' via pip at runtime. That fetches code from PyPI; if you require stricter controls, pre-install and vet dependencies in a sandbox.
- File writes: the skill reads/writes data under ~/.openclaw/workspace/finance-radar/data (portfolio, watchlist, CSV exports). If you want to avoid persistent files, run it in a disposable environment.
- Prompt-injection indicator: the SKILL.md was flagged for unicode control characters — ask the publisher for the raw SKILL.md or inspect it yourself for hidden control characters or obfuscated text.
- Origin and trust: source is 'unknown' and no homepage is provided. If you plan to use this skill with real credentials or sensitive data, prefer a skill from a known author or review the full code locally and run it in an isolated environment first.
Actions you can take:
1) Request the publisher/source or a repository URL for provenance; 2) Review SKILL.md raw bytes to remove/control any hidden unicode control characters; 3) Audit billing.py and only set SKILLPAY_API_KEY if you trust skillpay.me and the skill author; 4) Run code in a sandbox (container/VM) and/or pre-install dependencies rather than letting the skill pip-install at runtime.Like a lobster shell, security has layers — review code before you run it.
latest
Finance Radar
Stock & crypto intelligence via Yahoo Finance. Charges 0.001 USDT/call via SkillPay.
Commands
| Command | Script | Description |
|---|---|---|
| analyze | scripts/analyze.py | Stock/crypto analysis (price, fundamentals, technicals) |
| score | scripts/score.py | 8-dimension stock scoring |
| batch | scripts/batch.py | Batch analyze multiple tickers + CSV export |
| portfolio | scripts/portfolio.py | Portfolio tracking & P/L |
| watchlist | scripts/watchlist.py | Watchlist with price alerts |
| dividend | scripts/dividend.py | Dividend yield & history |
| hot-scan | scripts/hot_scan.py | Viral trend detection |
| rumor | scripts/rumor.py | Rumor & early signal detection |
| billing | scripts/billing.py | SkillPay charge/balance/payment |
Workflow
1. Billing: python3 scripts/billing.py --charge --user-id <id>
2. Execute: python3 scripts/<command>.py --ticker AAPL
Quick Examples
# Analyze a stock
python3 scripts/analyze.py --ticker AAPL
# Analyze crypto
python3 scripts/analyze.py --ticker BTC-USD
# Batch analyze (NEW)
python3 scripts/batch.py --tickers AAPL,GOOG,MSFT
python3 scripts/batch.py --tickers AAPL,GOOG,MSFT --export # Export CSV
# 8-dimension score
python3 scripts/score.py --ticker TSLA
Config
| Env Var | Required | Description |
|---|---|---|
SKILLPAY_API_KEY | Yes | SkillPay.me API key |
References
See references/scoring-model.md for 8-dimension scoring methodology.
Comments
Loading comments...