ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Analysis Skill

v2.1.3

Provides multi-market real-time stock analysis with technical indicators, news sentiment, and AI buy/sell/hold recommendations for portfolios and indices.

0· 184·0 current·0 all-time
byClawMem.com@leohuang8688
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Code implements multi-market quotes, technical indicators, news sentiment (Tavily), and decision/dashboard logic which is coherent with the skill name and description. Optional API keys (TAVILY_API_KEY, ALPHA_VANTAGE_API_KEY, TUSHARE_TOKEN) used in code are appropriate for the listed data sources. However, registry metadata claims 'Required env vars: none' while SKILL.md and .env.example require STOCK_LIST (required) and recommend API keys — this metadata mismatch is an incoherence.
Instruction Scope
SKILL.md gives concrete runtime instructions (pip install -r requirements.txt, copy/edit .env, run analyzer). The instructions and code stay within the stated purpose (fetch data, analyze, format reports). Minor scope mismatches: SKILL.md advertises multi-channel notifications and scheduled analysis but the provided Python sources do not implement messaging/scheduling integrations; also SKILL.md contains unicode-control-chars pre-scan signal (see scan findings) which could be an attempt to obfuscate or influence parsing — worth inspecting the raw SKILL.md before trusting it.
Install Mechanism
No custom install script or remote archive; installation is standard Python dependency installation via requirements.txt. Dependencies (requests, yfinance, akshare, tushare, efinance, alpha-vantage, python-dotenv) are expected for this functionality. There are no downloads from unknown URLs or extraction steps in the manifest.
!
Credentials
The registry declares no required environment variables, but the SKILL.md/.env.example and code require STOCK_LIST (required) and optionally use TAVILY_API_KEY, ALPHA_VANTAGE_API_KEY, and TUSHARE_TOKEN. Those env vars are relevant to the skill's function, but the fact they are not declared in the registry metadata is a discrepancy. Also, the skill will use any API keys you provide to make network calls; avoid supplying high-privilege or unrelated credentials.
Persistence & Privilege
Skill does not request 'always: true' or any elevated persistent privileges. Defaults permit autonomous invocation (platform default), but the skill does not modify other skills or system-wide config. No evidence of writing to unrelated config paths.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md triggered a 'unicode-control-chars' pattern. The rest of the repository appears to be normal Python code for stock analysis, but control characters in documentation can be used to obfuscate or influence parsers; inspect the raw SKILL.md and README contents for hidden characters before trusting automated installers.
What to consider before installing
Things to check before installing or running this skill: - Metadata mismatch: the registry lists no required env vars, but the skill expects STOCK_LIST and optionally TAVILY_API_KEY, ALPHA_VANTAGE_API_KEY, and TUSHARE_TOKEN. Treat these env vars as needed and do not provide unrelated secrets. - Source trust: Homepage is missing and the owner ID is opaque. Prefer skills with a verifiable repository or maintainer before giving API keys. - Review SKILL.md raw text for hidden/control characters (the scanner flagged 'unicode-control-chars') and open the file in a hex-capable editor if concerned. - Limit credentials: create API keys with minimal privileges and quota-limited/free-tier keys where possible. Do not supply AWS/GCP/other cloud credentials — this skill does not require them. - Run in a sandbox: install and run in an isolated environment (container or VM) first to observe network calls and behavior. - Inspect network endpoints: the code will contact (at least) api.tavily.com (news), external data libraries (yfinance which pulls from Yahoo), AkShare/efinance/Tushare/Alpha Vantage. If you need to prevent exfiltration, block or monitor outbound traffic to unknown endpoints. - Note missing features: the README/SKILL.md mention multi-channel notifications and scheduled analysis, but those integrations are not present in the source; expect limited functionality unless you implement those parts. What would change this assessment: a public repository or homepage with commit history & maintainer identity (increases confidence), or corrected registry metadata listing required env vars would reduce the 'suspicious' tag. Conversely, discovery of telemetry/exfiltration code or hidden remote install steps would raise the severity.

Like a lobster shell, security has layers — review code before you run it.

latestvk970s7hvha771ert7dj0gqaqr9839jzv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments