Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Finance Advisor
v1.0.0Provide your financial details to get a personalized wealth plan with best savings rates, hidden fee detection, optimized debt payoff, investing roadmap, and...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md repeatedly states it scrapes real-time market/data sources (Apify scrapers, Google/Reddit), calls InVideo AI to produce videos, and uses Claude AI for plan generation — yet the registry metadata declares no required environment variables, no primary credential, and no install steps. Integrations with Apify, InVideo, and Claude normally require API keys and/or accounts. The lack of declared credentials or a provenance/homepage is inconsistent with the claimed capabilities.
Instruction Scope
The runtime instructions ask for detailed, sensitive inputs (income, expenses, debts, account balances, insurance premiums, goals) and promise to cross-reference and scrape third-party sources to identify leaks and rates. That implies transmitting sensitive financial and possibly personal data to external services (Apify, InVideo, Claude) — but SKILL.md does not state where or how user data is transmitted, stored, or anonymized. There is no explicit user-consent/PII-handling guidance in the visible content.
Install Mechanism
No install spec and no code files are present; this reduces risk from on-disk arbitrary code execution. However, being instruction-only means the skill relies on network calls and the agent's runtime to perform scraping and external API calls, which still poses data-transmission risk.
Credentials
The skill asserts use of multiple third-party services that would normally require API credentials, yet requires no env vars and lists no primary credential. That mismatch is disproportionate and unclear — either the skill expects the agent/platform to provide keys (not declared) or it will instruct the user to paste credentials at runtime. Both cases need clarification because they affect privacy and security.
Persistence & Privilege
always:false and user-invocable:true (defaults) — no elevated persistent privilege requested. The skill can be invoked autonomously by the agent (disable-model-invocation:false), which is the platform default; combined with the sensitivity of input data and the external integrations this increases potential blast radius but is not itself an immediate violation.
What to consider before installing
Do not paste real account numbers, login credentials, SSNs, or full bank statements into this skill until the developer clarifies how data flows. Ask the publisher these questions before installing: (1) exactly which external services are called at runtime, (2) whether your raw input is uploaded to Apify/InVideo/Claude (and if so, which accounts/tenants are used), (3) whether API keys are required and how/where they are stored, (4) data retention, logging, and deletion policies, (5) whether data is encrypted in transit and at rest, and (6) whether outputs (like the video) are publicly shared or accessible to third parties. Prefer testing with synthetic or redacted data first. If you need a finance tool now, consider well-known apps or consult a licensed advisor rather than giving full financial details to an unverified, provenance-less skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97dq0hwbwv92b0msadfyr26fd841yv3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.