ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

yahoo-finance-bist

v1.0.0

Yahoo Finance API tabanlı tarihsel veri analizi, algoritmik teknik indikatör skoru (RSI, MACD, Stoch, SMA), Excel geçmiş veri dışa aktarma, portföy alarm tak...

0· 315·0 current·0 all-time
byNiyazi Sönmez@nikolayco
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, the four Python scripts, and included data files all implement Yahoo Finance historical data fetch, indicator calculation (RSI, MACD, Stoch, SMA), CSV/Excel export, portfolio alerts and trade logging — consistent with the stated purpose.
!
Instruction Scope
SKILL.md mandates the agent must run specific exec commands (absolute paths) for user queries, announce 'script is running', then read and relay ONLY the script output and must not use any internal knowledge. This enforces blind execution of local code and suppresses model reasoning/transparency. Although the included scripts appear to access only Yahoo Finance and local files, the enforced output-only workflow increases risk (it can hide what the agent did) and is unusual. The SKILL.md also uses absolute paths (/home/node/.openclaw/skills/...), which may not match the deployment location of the provided files — an operational inconsistency.
Install Mechanism
No install spec / no external downloads. All source files are included in the skill bundle (no network install step), so there's no remote installer or archive to fetch.
Credentials
The skill requires no environment variables or credentials; scripts call only Yahoo Finance public endpoints and read/write files under the skill directory. The requested access (network to Yahoo, local file read/write) is proportionate to the described features.
Persistence & Privilege
always:false and user-invocable:true. The scripts create and manage local files (trade_history.json, portfolio_alerts.json, CSVs under symbol_data/) and will remove old CSVs if many accumulate. The skill does not request system-wide config or other skills' credentials. Be aware the platform default allows autonomous invocation (disable-model-invocation:false); combined with the SKILL.md requirement to auto-exec scripts on matching keywords, this increases blast radius if the agent is permitted to act autonomously.
What to consider before installing
What to consider before installing: - The code provided implements the advertised Yahoo Finance features and does not request credentials, but SKILL.md forces the agent to run local scripts and only return their output (no model reasoning shown). That pattern is unusual because it makes the agent a blind conduit for script outputs — verify you trust the included scripts. - Review the included Python files yourself (they are bundled) and confirm they do only what you expect: fetch Yahoo endpoints, compute indicators, and write CSV/HTML in the skill folder. They do not contact other external domains or read arbitrary system files. - Confirm the exec paths in SKILL.md (/home/node/.openclaw/skills/yahoo_portfoy_analiz/...) match where the skill will be installed. If not, the agent may fail to run or attempt to execute different code. - Because scripts write files and can create many CSVs, run the skill in a sandboxed environment or with limited filesystem/network permissions if possible. - If you plan to allow autonomous agents to use this skill, consider disabling autonomous invocation or requiring explicit user confirmation before running any scripts, so the agent cannot silently execute code on keyword matches. - If you need higher assurance, ask the publisher for a signed release or run the scripts manually in a controlled environment to validate outputs before allowing automatic execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dptgjnv15qrzcs1sb0qtcwn823h6y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments