ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

US Stock Financials

v1.0.0

Fetch comprehensive financial data from SEC EDGAR XBRL for US-listed companies (especially Chinese ADRs). Includes balance sheet, income statement, cash flow...

1· 72·0 current·0 all-time
by@mli-cj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (fetch SEC XBRL financials, generate PDFs) matches the files and behavior: a Python script that queries data.sec.gov / sec.gov, parses XBRL/company facts, and produces JSON/table/PDF output. The included issuers.json aligns with the stated focus on US-listed/Chinese ADRs.
Instruction Scope
SKILL.md simply instructs running the bundled Python script with search/period/output/pdf options — scope is limited to querying the SEC and producing local output. The script does perform network requests to data.sec.gov and www.sec.gov (expected). No instructions request reading unrelated files or environment variables. Note: the code includes a fallback SSL context that disables certificate verification on failure — this widens the network trust surface and is a security concern to review.
Install Mechanism
No install spec; instruction-only plus an included Python script. Dependency noted is reportlab (PDF). The SKILL.md suggests installing reportlab with 'pip3 install reportlab --break-system-packages', which is unusual and could be harmful on system Python — prefer a virtualenv. No remote downloads or obscure installers are present in the manifest.
Credentials
The skill requests no environment variables, credentials, or config paths. All external access is to public SEC endpoints, which is proportional to the stated purpose.
Persistence & Privilege
always:false and no install-time persistence mechanisms are present. The skill doesn't request elevated privileges or modify other skill configurations.
Assessment
This skill appears to do what it claims, but review a few things before running: 1) Inspect the full scripts (the provided listing was truncated) to confirm there is no hidden network exfiltration or unexpected behavior. 2) The code contains an explicit insecure SSL fallback that disables certificate verification; consider removing that fallback or restricting it to debugging only, because it makes network requests susceptible to MITM. 3) Do not run the 'pip3 install ... --break-system-packages' command on a system Python; instead create and use a virtualenv (python3 -m venv .venv && source .venv/bin/activate && pip install reportlab). 4) Run the script in an isolated environment (container/VM) if you are unsure, and avoid providing any unrelated credentials to the process. 5) If you plan to make many requests to SEC endpoints, consider adding a contact email per SEC access guidance and rate-limiting your requests to avoid being blocked.

Like a lobster shell, security has layers — review code before you run it.

latestvk978dng0c0cgxvrfbgqpp58fz183crbx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments