ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock TA Charts

v1.0.0

Generate professional technical analysis charts (candlesticks, Fibonacci, SMA 20/50, RSI, pattern detection) for crypto and commodities. Use when the user as...

0· 196·0 current·1 all-time
by@nomadrex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to 'Generate professional technical analysis charts' but contains no code files (no crypto_charts.py) and no install spec; the runtime instructions assume a local Python module and a ~/clawd layout that are not provided. That mismatch means the skill as published cannot perform its stated purpose without external artifacts.
!
Instruction Scope
Runtime instructions require reading/writing files under ~/clawd, deleting old charts (cleanup_old_charts()), and making outbound network requests to Yahoo Finance and CoinGecko — all reasonable for charting — but also include a hardcoded Telegram send target (message (Telegram, target="7887978276") ...) which is an unexpected, fixed external recipient. The instructions give broad discretion to run local Python code (via python3 -c) which could execute arbitrary code if the referenced module is replaced or malicious.
Install Mechanism
No install spec is provided, so nothing is written to disk by the installer. This is low-risk in isolation, but it also means required code must already exist on the user's system or be provided separately — an incoherence noted above.
Credentials
The skill declares no required environment variables or credentials, but it implicitly depends on: (1) a Python runtime and a local crypto_charts module in ~/clawd, (2) network access to Yahoo Finance/CoinGecko, and (3) the agent's messaging/Telegram integration to send images. These implicit requirements are not documented and could grant the skill access to messaging channels and the user's home files.
Persistence & Privilege
The skill does not request persistent 'always' inclusion or elevated platform privileges. It does write and delete files in ~/clawd/charts, which is normal for a charting tool, but its cleanup operation means it will remove local files in that path — users should confirm that path before running.
What to consider before installing
Do not install or run this skill yet. Before using it, ask the publisher for: (1) the missing crypto_charts.py (or a proper install spec) and audit that code for network calls, file operations, and any unexpected functionality; (2) an explanation of the hardcoded Telegram target and an option to remove or parameterize it; (3) a clear list of implicit dependencies (Python version, required pip packages, where charts are stored). If you must test, run in an isolated environment (temp account or VM), inspect crypto_charts.py first, and verify the ~/clawd path and cleanup behavior so you don't lose unrelated files. The current package is internally inconsistent (no runtime code included) and should be treated with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d8rkppwm2sp4vheyfxvw4n582zwjv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments