Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
trading-agents.skill
v0.0.2Orchestrate a swarm of specialized Claude subagents that simulate a professional trading firm to analyze stocks and produce trading decisions. Based on the T...
⭐ 1· 29·0 current·0 all-time
by@huahang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to orchestrate multiple analyst subagents to analyze stocks and produce trading recommendations; the included agent prompts, orchestration instructions, and Python scripts (fetching market data and computing technical indicators) align with that purpose. Requested binaries (python3, pip) and the presence of Python scripts and pyproject.toml are appropriate for this functionality.
Instruction Scope
SKILL.md instructs the agent to spawn analyst subagents, run the provided Python scripts, perform web searches, and save reports. All referenced files and actions (run scripts/fetch_market_data.py, run scripts/technical_indicators.py, read agents/*.md) are present and consistent. The instructions require collecting data from public sources (news, social media, filings), which matches the stated aims; they do not ask to read unrelated system files or secret environment variables.
Install Mechanism
There is no registry install spec (instruction-only), but SKILL.md instructs `pip install -U uv` and `uv sync` to install dependencies from pyproject.toml. Installing dependencies will pull packages from PyPI (yfinance, akshare, numpy, pandas). This is expected for a Python skill but creates the usual supply-chain risks: review/verify the 'uv' package (uncommon name), and the listed dependencies before running. No downloads from arbitrary URLs or extract operations are present in the bundle itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The scripts use yfinance and public web searches to obtain market data; that requires network access but no secrets. The lack of requested credentials is proportionate to the described behavior.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no installer that persists credentials or forces global agent changes. It writes output files (reports/JSON) into working directories as expected for data processing; this is normal and scoped to the skill's outputs.
Assessment
This skill appears to do what it says: orchestrate analyst subagents and run supporting Python scripts to fetch market data and compute indicators. Before installing/running: 1) Review and vet the 'uv' package (SKILL.md asks you to pip install it) — it's uncommon and will control the environment; consider using a known tool (venv/virtualenv) instead or inspect the package on PyPI. 2) Inspect pyproject.toml dependencies (akshare, yfinance) and be aware they access external financial data sources; run in an isolated environment or sandbox to limit blast radius. 3) Expect network activity (web searches, site scraping) — if you plan to provide sensitive portfolio context to the skill, be cautious because reports include saved files and links. 4) If you need to comply with scraping/terms-of-service, confirm the data sources and usage. 5) If uncertain, run the scripts manually in a controlled environment first to confirm behavior and outputs.Like a lobster shell, security has layers — review code before you run it.
latestvk973csd0r1007mjxr4686recsn848csn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, pip, uv