ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FRED-Navigator

v1.0.0

Navigate FRED categories and series using fredapi, supporting natural-language queries with intent recognition and double validation.

2· 655·2 current·2 all-time
by@kiszly
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, Python deps (fredapi, pandas), helper scripts, and large reference JSON files all align with a FRED category/series navigation skill. The included scripts implement category listing, series retrieval, path-building and checks that are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to read local reference files and run helper scripts (scripts/fred_query.py, scripts/build_paths.py) and to use the IDE agent for intent recognition. Those instructions stay within the stated FRED navigation scope. However SKILL.md requires reading FRED_API_KEY from the environment and instructs running Python helpers in a sandbox; the runtime scripts also abort if FRED_API_KEY is missing — this requirement is not reflected in the registry metadata.
Install Mechanism
There is no install spec (instruction-only install). The repo includes requirements.txt listing known Python packages (fredapi, pandas) and only local code and large reference JSON files. No external download URLs or archive extraction are used by the skill bundle itself.
!
Credentials
The runtime explicitly requires a FRED API key via the environment variable FRED_API_KEY (scripts/fred_query.py calls os.getenv and exits if missing), which is appropriate and proportional to the skill. The problem is that the registry metadata lists no required env vars — this mismatch is an incoherence that could mislead users into installing without supplying required credentials or expecting different behavior.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and contains no install-time persistence mechanism. Autonomous invocation is allowed (default) but not combined with any unusually broad privileges in this package.
What to consider before installing
This package appears to implement exactly what it claims (FRED category/series navigation using fredapi) and contains only local helper scripts and reference JSON data. Before installing: (1) Note the runtime requires a FRED API key via the environment variable FRED_API_KEY — the registry metadata does not declare this, so you must supply it manually; (2) Review the large reference JSON files if you care about disk usage or data provenance; (3) The scripts will make network calls to FRED via fredapi (the official FRED API), so only provide an API key you trust and keep it secret; (4) Run the code in a sandboxed environment as suggested (it will abort if FRED_API_KEY is missing); and (5) If you plan to install widely, ask the publisher or registry to update the metadata to declare FRED_API_KEY so the requirement isn't silently omitted. If you want me to, I can extract the exact places the code reads environment variables and list the network endpoints it will call.

Like a lobster shell, security has layers — review code before you run it.

latestvk979amdhg8as1xtb3x4wq6p53h81dz57

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments