v1.0.4

finance_monitor

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:05 AM.

Analysis

The skill is mostly consistent with fetching market data, but it contradicts its own no-API-key claim by asking users to provide a Finnhub API key that is not clearly justified or declared.

GuidanceReview the Finnhub API key instructions before installing. If you only expect CNBC scraping with no credentials, do not provide an API key unless the maintainer updates the documentation and metadata to clearly explain why it is required.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

纯 stdlib，无需任何 API Key... FINNHUB_API_KEY 环境变量 | ✅ 推荐... --finnhub-key 参数 | ⚠️ 备用

The documentation presents a no-key safety posture while also recommending a sensitive API key workflow, which can mislead users about what access the skill needs.

User impactUsers may trust the skill as credential-free, then follow instructions that expose or store an API key.

RecommendationMake the credential requirements consistent across the description, metadata, and usage examples before installation.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

OpenClaw cron... "cron": "0 * * * *"... "env": { "FINNHUB_API_KEY": "你的key" }

The skill documents optional persistent scheduled execution. This is user-directed and purpose-aligned for periodic data fetching, but it is still ongoing background activity.

User impactIf enabled, the skill will keep running on a schedule and continue making network requests and writing to the database.

RecommendationOnly enable the scheduled job if continuous updates are desired, and remove the cron entry when no longer needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

description: 从 CNBC 抓取 18 个金融指标数据...无需任何 API Key... 获取 Finnhub API Key... export FINNHUB_API_KEY=你的key

The artifact first says no API key is needed for CNBC data, then asks the user to obtain and provide a Finnhub API key. This introduces sensitive account authority that is not clearly justified by the stated purpose.

User impactA user may provide a third-party API credential even though the skill claims it does not need one.

RecommendationClarify whether Finnhub is actually used. If not, remove all Finnhub key instructions; if it is required, declare the credential in metadata, explain why it is needed, and avoid command-line key passing.