Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Economic Calendar Fetcher Zc
v1.0.0Fetch scheduled upcoming economic events and data releases from FMP API for specified date ranges with impact assessment in chronological markdown format.
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (querying the FMP economic calendar) matches the script and documentation. However, the registry metadata lists no required environment variables or primary credential while both SKILL.md and the included script clearly require an FMP API key (FMP_API_KEY). This metadata omission is an inconsistency worth flagging.
Instruction Scope
SKILL.md instructs the agent to check FMP_API_KEY, prompt the user for the key if missing, validate dates, run the bundled Python script, and post-process/filter results. The instructions and script only access FMP's API endpoint and local files (optionally writing output). There are no instructions to read unrelated files, exfiltrate arbitrary data, or contact hidden endpoints, but the skill asks the agent to request secrets via chat which can leak keys into logs if not handled carefully.
Install Mechanism
This is an instruction-only skill (no install spec). A Python script is included but nothing is downloaded or installed automatically. No remote installers or obscure URLs were found in the package.
Credentials
Only one credential (an FMP API key) is required by the script, which is proportionate to the purpose. However, the package metadata does not declare this required environment variable or primary credential, creating a transparency/permission mismatch that could cause surprise when the agent requests a key.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It does not modify other skills or system settings and will only run when invoked. Autonomous invocation is allowed by default (platform behavior) but is not combined here with any broad privileges.
What to consider before installing
What to consider before installing: (1) The included script legitimately needs an FMP API key (FMP_API_KEY). The registry metadata failing to declare that is an inconsistency — assume the skill will prompt for your key. (2) Prefer setting FMP_API_KEY as an environment variable on your system rather than pasting the key into chat (chat text may be logged). (3) Inspect the bundled script locally (it only calls https://financialmodelingprep.com and writes output files if you ask) and run it yourself to confirm behavior before giving the agent access to your key. (4) Verify the skill's source/owner and prefer skills with a homepage/repository; if you plan to let an autonomous agent use this skill, be cautious about granting it your API key. (5) If anything is unclear, ask the publisher to update metadata to declare FMP_API_KEY and provide a trusted homepage before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976pkhp89tntvnkvndsmxyms583mz3x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.