ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI News Sentiment

v1.0.0

Analyze financial news sentiment, assess short- to long-term impacts, and classify news by type like earnings, contracts, investments, policies, and reports.

0· 187·0 current·1 all-time
by@gbabyzs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md describe a news-sentiment analyzer that scrapes financial news and runs NLP; the included code provides only a small, local stub that returns simulated results. Declared dependencies (akshare, pandas, requests) are reasonable for the stated purpose but are not used by the shipped code. skill.json exports include 'impact_assessment' which is not implemented. These mismatches suggest the package is incomplete or poorly maintained.
Instruction Scope
SKILL.md shows a simple usage example calling analyze_news_sentiment and notes that a real implementation would require web scraping and NLP. The instructions do not ask the agent to read unrelated files or env vars, nor to exfiltrate data. However, SKILL.md's mention of external data sources implies network access would be required in a real implementation — the current code does not perform that access.
Install Mechanism
There is no install spec (instruction-only style), which minimizes immediate risk. However, skill.json lists external Python dependencies that are not automatically installed here; this can lead to runtime errors or prompt an agent/platform to install packages on demand. No download URLs or extraction steps are present.
Credentials
The skill requests no environment variables, credentials, or config paths. For the declared purpose (public news scraping), that's plausible. If the skill were extended to use paid APIs or private feeds, additional credentials would be expected but are not currently present.
Persistence & Privilege
The skill does not request always:true and uses default invocation behavior. It does not modify other skills' configs and does not declare any persistent system-level privileges.
What to consider before installing
This skill appears to be a lightweight stub rather than a full implementation. Before installing or enabling it: 1) Be aware it currently returns simulated data and does not fetch real news. 2) Verify the missing export (impact_assessment) and decide whether you need a complete implementation. 3) If you expect the skill to fetch news, confirm how and where network requests will be made and whether any credentials or rate limits apply. 4) Because skill.json lists Python packages that are not installed automatically, expect the agent or platform to install them on demand — review that behavior or run the skill in a sandbox first. 5) If you plan to use scraped sources (e.g., 财联社), confirm licensing/terms of service and that you are comfortable granting network access. If you want higher assurance, ask the author for a full implementation or more details about how external data will be accessed and which packages will be installed.

Like a lobster shell, security has layers — review code before you run it.

latestvk977fvh4hynd4z34jbqnezh31n82yr8m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments