ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Investment Browser SEC Scraper

v1.0.0

Professional SEC EDGAR 10-Q/10-K parser for institutional investors. Extracts 47 financial metrics from HTML tables including Revenue, Net Income, EPS, Free...

0· 60·0 current·0 all-time
by@lettywyse
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to scrape SEC EDGAR filings and extract financial metrics — the runtime instructions explicitly direct the agent to sec.gov and to extract revenue, net income, growth %, MD&A risks, which is coherent. However the skill also claims to produce PDFs and a Google Sheet and to 'send links' without declaring how files are generated, hosted, or what credentials (if any) are used — this is an unexplained capability.
Instruction Scope
SKILL.md instructs the agent to browse sec.gov/edgar for the latest filing and extract tables and risks — that is scoped to the stated purpose. Instructions are high-level and grant the agent broad discretion for output handling (create PDF, create Google Sheet, send links), which is vague and could result in the agent contacting external services or using the user's authenticated browser sessions in ways not explicitly documented.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk and there is no direct install risk.
!
Credentials
The manifest lists no required env vars or credentials, yet the instructions reference producing a Google Sheet and sending links. Creating or uploading to Google Drive/Sheets normally requires credentials or an authenticated session — the lack of declared credentials is a proportionality mismatch. It's unclear whether the skill expects to use an already-authenticated browser session, platform-side OAuth, or external hosting, which should be clarified.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges. There is no indication it modifies other skills or system config.
What to consider before installing
This skill appears to do what it says (scrape EDGAR and extract metrics) but is vague about how it generates and shares outputs. Before installing, ask the publisher how PDFs and Google Sheets are created and hosted, and whether any Google or cloud credentials will be required or stored. Confirm where 'links' are uploaded (Google Drive, a third-party host, or an ephemeral service) and whether the skill will use your logged-in browser session. Because this is instruction-only and can make external requests, test it first with non-sensitive tickers and avoid granting broad automation privileges until you understand its hosting/auth flow. If you need strong guarantees, request a source repo or documentation and a privacy/security policy from the author.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abx4tpvqdta77zp5pf7ev2x83dbtn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments