Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Us Stock Analysis Litiao
v1.0.0Comprehensive US stock analysis including fundamental analysis (financial metrics, business quality, valuation), technical analysis (indicators, chart patter...
⭐ 0· 132·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and included reference docs align with providing US stock analysis. Requesting a TAVILY_API_KEY is reasonable given the stated preference for the Tavily API. However, the SKILL.md also expects an existing Tavily search skill implementation in a concrete filesystem location (~/.openclaw/workspace/skills/tavily-search-litiao) and instructs running node scripts there. That external dependency is not included in this package and is not justified or declared in metadata, which is an incoherence (the skill assumes other code will be present).
Instruction Scope
The instructions tell the agent to cd into a specific user-home path and run node scripts (node scripts/search.mjs ...) that are not part of this skill. That creates two problems: (1) the skill implicitly relies on another skill/repository being present, and (2) running commands in an arbitrary path could execute code you didn't review if that path exists. Besides this, the rest of the instructions (use Tavily or web search to fetch financial data, read included references, generate reports) are scoped to the stated purpose and do not request unrelated secrets or file reads.
Install Mechanism
This is an instruction-only skill with no install steps and no downloads. That minimizes supply-chain risk from this package itself. The risk comes from its runtime expectation of another workspace (node scripts) that would live outside this skill.
Credentials
Only TAVILY_API_KEY is requested, which is proportionate if the skill calls the Tavily API. There are no other credentials or config paths requested. Users should be aware that providing TAVILY_API_KEY gives the skill (and any code it invokes) access to that third-party service — verify you trust the code that will use the key.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config or other skills' credentials. Autonomous invocation is enabled by default (normal). The skill does not request persistent installation privileges itself.
What to consider before installing
This skill's analysis content and reference docs match a stock-analysis tool, and the TAVILY_API_KEY requirement is sensible. However, the runtime instructions assume a separate Tavily-search codebase exists at ~/.openclaw/workspace/skills/tavily-search-litiao and tell the agent to run node scripts there — those scripts are NOT included. Before installing or providing credentials: (1) confirm whether you have or trust the referenced tavily-search code at that exact path (if present it could run arbitrary JS); (2) if you don't have that code, the node commands will fail — ask the publisher for a complete package or remove the cd/exec steps; (3) only provide TAVILY_API_KEY if you trust the service and any code that will use it; (4) if you want lower risk, restrict the skill to using web_search fallback only or request the Tavily calls be performed via a packaged, reviewable client instead of an assumed external workspace.Like a lobster shell, security has layers — review code before you run it.
latestvk97es4mryzvf98f5a1z93yp7y5833xw0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
EnvTAVILY_API_KEY