ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yahoo Claw

v0.1.7

Yahoo Finance API integration for OpenClaw. Use when users ask for stock prices, company financials, historical data, dividends, or market data. Supports rea...

1· 238·2 current·2 all-time
byClawMem.com@leohuang8688
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the bundled code. The code uses yahoo-finance2 and an optional Alpha Vantage fallback (AlphaVantage module reads ALPHA_VANTAGE_API_KEY). The included modules (Quote, History, News, Technical, APIManager) implement the advertised features (quotes, history, news, technical indicators) and dependencies in package.json are appropriate for that purpose.
Instruction Scope
SKILL.md instructs network access to Yahoo Finance and optional use of an Alpha Vantage API key; it states no shell execution and no sensitive-data collection — the code appears consistent with that. However SKILL.md/README/README-CN mention optional local SQLite storage or DATABASE_PATH in places while the provided APIManager uses an in-memory Map cache and I could not find SQLite/database code in the inspected files. That mismatch between documentation and implementation should be clarified.
Install Mechanism
No explicit install spec is provided, but package.json lists standard npm dependencies (yahoo-finance2, dotenv). Installing requires npm install (documented). This is a typical, moderate-risk install (npm packages from public registry). There are no downloads from arbitrary URLs or extract steps in the provided artifacts.
Credentials
The skill requests no required credentials. It optionally uses ALPHA_VANTAGE_API_KEY (appropriate for the documented backup API). SKILL.md also references DATABASE_PATH as optional; that variable is not used in the visible code, creating a documentation inconsistency. No other unrelated secrets or credentials are requested.
Persistence & Privilege
The skill is not always-enabled, does not request elevated privileges, and does not alter other skills' configs. Its persistence is limited to in-memory caching in the code; no service or daemon installation is present.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters detection. This is unusual for a finance integration and could be accidental formatting or an attempt to obfuscate content. It warrants manual inspection of the raw SKILL.md for hidden characters or invisible instructions.
What to consider before installing
This skill largely appears to do what it claims (use yahoo-finance2, optionally fallback to Alpha Vantage). Before installing: 1) Review SKILL.md and README for hidden control characters (the pre-scan flagged unicode-control-chars). 2) Confirm whether DATABASE_PATH/SQLite is actually required — the code shipped uses in-memory caching; if you don't want disk access, verify no SQLite or file-write code exists in the omitted files. 3) If you provide ALPHA_VANTAGE_API_KEY, store it securely (environment variable or secrets store); the key is optional and only used as a backup. 4) Run npm install and run the skill in a sandboxed environment first, monitor outbound domains (expected: Yahoo Finance endpoints and alphavantage.co), and inspect network traffic. 5) If you need higher assurance, ask the author or request a minimal reproducible build that shows whether any filesystem or external endpoints beyond finance APIs are contacted. If you are uncomfortable with the documentation inconsistencies or the unicode-control-chars finding, treat the package as untrusted until clarified.
src/api/AlphaVantage.js:8
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ref1g6vcj50mq3hvvfzyh182s7rn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments