Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Finlab
v0.1.1Comprehensive guide for FinLab quantitative trading package. Use when working with trading strategies, backtesting, stock data, FinLabDataFrame, factor analy...
⭐ 0· 440·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the runtime instructions: the SKILL.md describes installing and running the FinLab library, building factors, and running backtests. The declared compatibility (Python + uv) aligns with the install steps inside the instructions.
Instruction Scope
The instructions encourage the agent to install packages, run backtests, display charts, and call finlab.login() (which opens a browser for OAuth and saves a token to a local .env). These actions are coherent for an executor-style FinLab skill, but they do involve running installs and writing/reading credentials from the user's environment (e.g., $HOME and .env). The SKILL.md also recommends auto-creating environments via uv run and suggests sourcing $HOME/.local/bin/env to put uv on PATH.
Install Mechanism
There is no registry install spec; instead the SKILL.md instructs using uv to pip-install finlab (i.e., standard package installs from PyPI via uv). This is a moderate-risk but proportionate mechanism for this purpose — it does perform remote package installs but uses normal tooling rather than arbitrary download URLs.
Credentials
The skill declares no required env vars, which is consistent with the SKILL.md. However, runtime requires a FinLab API token (the documentation describes finlab.login() OAuth flow that stores a token in a .env file). That credential usage is expected for accessing FinLab data, but the skill will read/write the user's home environment and create persistent tokens locally — users should expect that.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does instruct installing packages and creating/storing an API token locally (via finlab.login()), but it does not modify other skills or system-wide agent configs.
Assessment
This skill is a hands‑on executor for the FinLab Python library and is coherent with that purpose. Before installing/using it: (1) verify you trust the finlab package on PyPI (review its project/homepage); (2) be prepared for the skill to run package installs (uv/pip) on your machine — consider running in an isolated environment (virtualenv/VM/container) or using uv run's temporary environment; (3) finlab.login() will open a browser for Google OAuth and save a token to a local .env file — review that file and token storage if you care about credential placement; (4) backtest.sim() may upload reports by default (upload=True) or support notifications (Line) — set upload=False and avoid providing notification tokens unless you intend to share results. If you want the agent to be less autonomous, ask it to prompt before performing installs, logins, or environment changes.Like a lobster shell, security has layers — review code before you run it.
latestvk97bk13ypm0w97yh1nrp8fqra1824sr9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.