Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (data insight, pattern recognition) align with the included JS implementation (analyze, trend, compare). SKILL.md claims this skill will 'call' many other skills (github, stock-monitor, tushare, etc.), but the provided code (scripts/index.js) performs local analysis only and contains no integration or network calls and no additional env requirements. This is a documentation/implementation mismatch but not a clear security issue.
Instruction Scope
SKILL.md instructs the agent about analysis capabilities and enumerates inputs/outputs. It does not direct reading unrelated system files, environment variables, or external endpoints. The runtime JS implements only local computations and a simple CLI. No unexpected scope creep detected.
Install Mechanism
There is no install spec and only a small JS file is included. Nothing is downloaded or extracted; no packages are installed. Low install risk.
Credentials
The skill declares no required environment variables, primary credential, or config paths. The code does not access process.env or other credentials. The lack of requested secrets is proportionate to its described local-analysis functionality.
Persistence & Privilege
Flags show default behavior (always:false, agent-invocation allowed). The skill does not request permanent presence or modify other skills/configurations. No privileged persistence requested.
Assessment
This skill appears to be a small, local data-analysis module: it analyzes text and numeric series, computes simple statistics, trends, and comparisons, and exposes a CLI and exported functions. It does not request credentials or perform network calls. Two practical points before installing: (1) SKILL.md lists integrations with many finance/GitHub skills but the code does not implement any such calls—if you expect orchestration with external services, verify how that is implemented elsewhere; (2) although the skill does not transmit data, any analysis skill will process whatever input you give it—avoid sending highly sensitive secrets or credentials to it unless you have reviewed and trust its runtime environment. Overall the package is coherent and low-risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97djy1skmgfz1m7txbm191gb184yx55
License
MIT-0
Free to use, modify, and redistribute. No attribution required.