ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Finance Lite (Beta): Daily Macro + Market Move Brief

v1.0.1

Daily macro + market brief (FRED + benchmarks + watchlist ticker) with critical-headline triage, explicit source/freshness notes, and graceful fallback behav...

0· 1.9k·23 current·27 all-time
byJunyi Jiao@junyij
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (daily macro + market brief) align with the code and runtime instructions: the bundle fetches data from finance endpoints (Finnhub, Nasdaq, FRED/CSV, Finviz-like feeds), formats a concise brief, and persists a local cache and bundled watchlist.json. These capabilities are expected for the stated purpose. However, the registry metadata reported 'Required env vars: none' while SKILL.md and the code clearly require FINNHUB_API_KEY (and optionally NASDAQ_DATALINK_API_KEY). This metadata mismatch is inconsistent and should be corrected.
Instruction Scope
SKILL.md and the included script confine actions to fetching market/macro data, writing a local cache under ./scripts/finance_lite/.cache/, and updating the bundled watchlist.json via add/remove. The tool documents these behaviors; it does not instruct reading unrelated system files or transmitting data to unexpected endpoints beyond the declared finance/news sources.
Install Mechanism
No install spec is present (instruction-only with shipped source files). All code is bundled with the skill; there are no external downloads or extract steps. This is low-risk compared with an installer that fetches arbitrary remote code.
!
Credentials
The tool requires FINNHUB_API_KEY (mandatory) and may use NASDAQ_DATALINK_API_KEY. Those requests are proportional to fetching market data. The concern is the registry metadata claims no required env vars while the runtime docs and code require an API key — this discrepancy could lead users to unknowingly supply sensitive credentials or to run the skill without necessary guards. Verify the metadata and confirm what secrets the skill will actually read before installing.
Persistence & Privilege
The skill does not request elevated system privileges or permanent 'always' inclusion. It writes only to its own bundle directory (cache + bundled watchlist.json) and explicitly disables calendar/event sync. It does not modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to implement the finance brief it claims, but the package metadata and runtime docs disagree: SKILL.md and the script require FINNHUB_API_KEY (and node + curl), while the registry listing shows no required env vars. Before installing: (1) Confirm you are comfortable providing a FINNHUB API key and consider using a key with limited scope or rate limits; (2) Review the bundled script (brief.mjs) yourself or run it in a sandbox to verify network endpoints and behavior; (3) Expect the skill to write cache files and to update watchlist.json in its own directory—back up any important data and run in an isolated working directory; (4) Ask the publisher to fix the registry metadata to accurately list required environment variables and binaries so there is no surprise about secret access. If you cannot inspect or sandbox the code, treat the metadata mismatch as a reason to hold off.

Like a lobster shell, security has layers — review code before you run it.

latestvk978v6yf1ec0hwxspzaewgdss1825rwt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments