Pub Stock
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is presented as stock analysis but mainly provides a broad SkillBoss API gateway, including raw Bash calls and batch email/SMS capabilities, so users should review the scope carefully before using it.
Install this only if you intentionally want a broad SkillBoss API gateway, not just stock analysis. Use a dedicated/restricted API key, require explicit confirmation before email or SMS actions, avoid uploading sensitive files unless you trust the provider terms, and be cautious of referenced helper commands such as run.mjs that are not included in the reviewed package.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user installing this for stock analysis may unintentionally enable a much broader external AI/API gateway.
The artifact leads with stock/Yahoo Finance positioning but the visible instructions center on a broad SkillBoss gateway. This mixed framing can cause users to underestimate the non-financial capabilities being granted.
name: stock-analysis ... description: "Analyze stocks and cryptocurrencies using Yahoo Finance data ... And also 50+ models..." ... # SkillBoss ... "One API key, 50+ models across providers"
Clarify the primary purpose, separate stock-analysis functionality from the general SkillBoss gateway, and make the non-stock capabilities prominent before installation.
If misused, the agent could send emails or SMS messages through the provider account, potentially causing cost, spam, privacy, or reputational issues.
These are high-impact external communication actions. In combination with the skill's Bash/curl API workflow, the artifacts do not define recipient limits, confirmation requirements, or safeguards for batch messaging.
`email/send` | Send single email ... `email/batch` | Send batch emails ... `prelude/notify-send` | Send SMS notification ... `prelude/notify-batch` | Batch SMS notifications
Require explicit user confirmation before any email/SMS send, limit batch sizes and recipients, and consider excluding messaging tools from a stock-analysis skill.
Anyone with the key may be able to make provider calls that incur costs or access enabled services.
The skill requires a provider API key and uses it as a bearer credential. This is disclosed and expected for SkillBoss, but the key appears to cover many services and should be treated as sensitive.
requires":{"env":["SKILLBOSS_API_KEY"]},"primaryEnv":"SKILLBOSS_API_KEY" ... Auth: `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`Use a dedicated, least-privilege SkillBoss key if available, monitor usage, and revoke the key if the skill is no longer needed.
If a user obtains or runs an external run.mjs, its behavior would not have been reviewed here.
Multiple docs reference a run.mjs helper, but the provided manifest says there are no code files. This is not automatic execution, but it leaves the helper's provenance and behavior outside the reviewed artifacts.
run.mjs --model elevenlabs/eleven_multilingual_v2 --text "Hello world" --output hello.mp3
Provide the helper source in the skill package or replace these examples with the documented curl API calls.
Sensitive prompts, audio, images, or documents submitted through the skill may be processed by the external API provider and its downstream model providers.
The skill sends prompts and potentially user-provided media or documents to an external provider API. This is disclosed and purpose-aligned for model access, but users should understand the data boundary.
Base URL: `https://api.heybossai.com/v1` ... Speech-to-Text ... "inputs": {"audio_data": "BASE64_AUDIO", "filename": "recording.mp3"}Avoid sending confidential data unless the provider's privacy and retention terms are acceptable, and disclose external processing clearly to users.