ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Catalyst Edge

v1.0.1

Identifies high-conviction stock opportunities and tracks JB's retirement portfolio with weekly scans, quarterly reviews, and FIRE signal analysis.

0· 55·0 current·0 all-time
by@j3m2b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code (scan scripts, FIRE pipeline) implements stock scanning, weekly/quarterly reviews, and Discord notifications as described — that matches the skill's stated purpose. Minor redundancy: two scanner implementations exist (scan_once.py uses Yahoo Finance; scanner.py uses Alpha Vantage and includes a hardcoded API key), which is explainable but unnecessary.
!
Instruction Scope
SKILL.md instructs the agent to read multiple local files including personal documents and '/workspace/memory/life-archive.md' (agent memory). The repo in fact contains highly sensitive personal financial files (bank account numbers, credit card suffixes, spouse & dependent info). The instructions also require posting summaries to a Discord channel but do not declare how credentials/webhook or posting authorization are obtained. Reading and broadcasting that level of personal data is scope-expansive and risky.
Install Mechanism
No install spec; this is effectively an instruction+code skill that runs existing Python scripts. That is low-install risk (nothing downloaded from arbitrary URLs).
!
Credentials
Registry metadata claims no required env vars or credentials, yet the code performs network calls and expects to post to Discord. scanner.py contains a hard-coded Alpha Vantage API key (embedded secret) while SKILL.md claims the primary scanner uses Yahoo (no key). Discord channel and server IDs are hard-coded, but there's no declared mechanism for the Discord bot token or webhook — a missing credential declaration is an incoherence. Also the skill expects access to agent memory and local files containing PII, which is far-reaching relative to a simple stock scanner.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). Autonomous invocation combined with the ability to read personal files and post to an external chat channel increases the blast radius; this is a contextual operational risk rather than a direct misconfiguration in the manifest.
Scan Findings in Context
[HARDCODED_SECRET_ALPHA_VANTAGE_KEY] unexpected: scanner.py embeds an Alpha Vantage API key (AYP4CXXCHLRXNH8L). Having a hard-coded API key in repository code is not necessary for a local scanner that uses Yahoo (scan_once.py) and is disproportionate; it may be stale, leaked, or belong to a third party and should be removed/rotated.
[EXTERNAL_NETWORK_CALLS] expected: Both scan_once.py (Yahoo Finance) and scanner.py (Alpha Vantage) make outbound HTTP(S) requests to public finance APIs. Network I/O is expected for a stock scanner, but combined with the ability to read local PII and the (undeclared) ability to post to Discord, it elevates data-exfiltration risk.
What to consider before installing
This skill mostly does what it says (scans tickers, computes FIRE signals, writes .md reports), but I recommend you do not install or enable it until you address these issues: - Remove or redact personal financial documents included in the skill (CASH_FLOW_ANALYSIS.md, FIRE_MODEL.md, PORTFOLIO_ANALYSIS.md) or keep them outside the skill bundle. Those files contain PII and account details that the skill will read and could post to Discord. - Confirm and control how Discord posting is authorized. The code has a channel/server ID but no declared token or webhook; ask the author how credentials are supplied. Prefer storing any Discord bot token or webhook URL in a secure environment variable (not in repo) and require explicit admin consent before the skill can post. - Rotate or remove the hard-coded Alpha Vantage API key. If Alpha Vantage is not needed (scan_once.py uses Yahoo), remove scanner.py or disable its embedded key. Never leave secrets in code. - If you plan to run this skill, run it in a sandboxed environment first (no access to your full workspace/memory). Limit the skill's read access to only the specific portfolio files you approve. Consider disabling autonomous invocation until you trust the deployment. If the author can justify the included personal files, move any tokens/keys to secure env vars, and remove hard-coded secrets, the skill would move closer to coherent. As-is, there is a real privacy and credential-handling mismatch — proceed with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk972s808jbtkftfjtandwakn8983j690

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments