finance_monitor

This skill appears to be a simple CNBC scraper that stores data in a local SQLite DB, but there are two things to check before installing: 1) API key ambiguity: The top-level description says no API key is required, yet SKILL.md shows FINNHUB_API_KEY and a --finnhub-key option. Before running, open scripts/fetch_data.py and confirm whether the script actually attempts to call Finnhub or any other API when the key is present, and whether it behaves correctly without a key. If you don't want to provide any API key, run the script once and verify it fetches the expected CNBC pages. 2) Secret handling: If you do need to provide FINNHUB_API_KEY, prefer environment variables (FINNHUB_API_KEY) over passing it on the command line (--finnhub-key) because command-line args can appear in process listings and logs. The SKILL.md already warns about this. Other practical checks: - Review the full fetch_data.py to confirm the only network endpoints contacted are CNBC (and optionally Finnhub) and that no hidden endpoints or data-exfiltration logic exist. - Run the script in a controlled environment first (temporary directory, non-privileged user) and inspect the created DB and logs. The script includes a path-safety check refusing obvious system paths; still avoid running it as root. - If you schedule it (cron/Task Scheduler/OpenClaw cron), ensure the DB path is to a directory you control and that the FINNHUB_API_KEY (if used) is set via secure environment variables, not in a public file or scheduler command line. Given the inconsistent documentation (no API key claimed vs. Finnhub examples), exercise caution but the code and instructions are not obviously malicious. If you want, paste the remainder of scripts/fetch_data.py (it was truncated) and I can check the rest for hidden network calls or suspicious behavior.