Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mars Stock Analysis
v1.0.0Fundamental equity analysis and peer ranking using a structured scoring playbook (quality, balance-sheet safety, cash flow, valuation, sector adjustments, co...
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the SKILL.md + playbook align: detailed fundamental equity analysis using only public financial filings/news. The skill requests no binaries, no env vars, and no installs, which is proportionate. However, metadata inconsistencies are present: the registry entry lists slug 'mars-stock-analysis' and ownerId 'kn7fqjbnftt52xn0jx866j99hx828z2y', while _meta.json contains slug 'fundamental-stock-analysis', a different ownerId ('kn757g6f5ymy86tj1zkc4e598s81eewr'), and a different version (1.0.5 vs registry 1.0.0). Source and homepage are unknown. These mismatches could be a packaging/publishing error but also can indicate the package was republished or altered — verify publisher identity before trusting.
Instruction Scope
The included playbook is explicit and scoped: it requires reading references/playbook.md, restricts web retrieval to ticker-relevant filings/financial aggregators/news, forbids handling credentials, local file discovery, and command execution. It mandates provenance (Tier 1/Tier 2 sources), cross-checking, and marking missing data as NA. This is narrowly scoped and appropriate for the stated purpose. Note: the playbook presumes the agent has web retrieval capability at runtime; confirm platform web access policies.
Install Mechanism
No install specification and no code files — instruction-only. This minimizes installation risk (nothing is written or executed locally by the skill itself).
Credentials
No required environment variables, no credentials, and the playbook explicitly forbids requesting or exposing secrets. This is proportionate to a public-data financial analysis skill.
Persistence & Privilege
always:false and user-invocable:true (defaults). disable-model-invocation:false is normal (agent may call the skill autonomously). The skill does not request elevated persistent privileges or system-wide config access. Caution: autonomous invocation + web retrieval can increase blast radius if the skill's metadata or provenance is untrusted.
What to consider before installing
Before installing: 1) Verify the publisher — ask for the canonical source repository or homepage and confirm the ownerId/slug/version match the registry entry and _meta.json. 2) Prefer skills with a public source repo or official homepage; unknown source + mismatched metadata is a red flag. 3) Confirm platform web-access policies (the playbook expects retrieving filings/news); restrict the agent's outbound network scope if possible. 4) Test in a low-risk environment first (sample tickers) and review the agent's network and request logs to ensure it only queries public financial endpoints. 5) Do not supply any private keys, API tokens, or confidential files to this skill — the playbook forbids secrets, but you should treat that as guidance that can be ignored if the skill or platform is compromised. If the publisher cannot be confirmed or metadata mismatches are unexplained, avoid installing or treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
aivk976w3wty7rt3fhn8krnjh30px83zvchfinancevk976w3wty7rt3fhn8krnjh30px83zvchlatestvk976w3wty7rt3fhn8krnjh30px83zvchstockvk976w3wty7rt3fhn8krnjh30px83zvch
License
MIT-0
Free to use, modify, and redistribute. No attribution required.