Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Portfolio Risk Desk
v1.0.2Generate a portfolio-aware daily or on-demand risk analysis brief from public market data, company updates, earnings material, and macro context, then emit a...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The package implements retrieval, normalization, ranking, synthesis, rendering, and a Notion handoff which matches the described purpose. However, the registry summary at the top lists no required environment variables while SKILL.md (and README/clawhub.json) declares APIFY_API_TOKEN (required) and other optional host-scoped variables; that metadata mismatch is unexpected and should be resolved.
Instruction Scope
SKILL.md and the code focus on gathering public-market evidence, synthesizing it, and emitting a host-consumable handoff. The runtime instructions include an Apify bootstrap step (APIFY_API_TOKEN) and expect the host to perform Notion writes and memory persistence. There are no instructions that ask the agent to read unrelated local secrets or arbitrary host files in the visible files, but retrieval and delivery code (e.g., apify bootstrap and retrieval adapters) are present and should be audited for exact network behavior before use.
Install Mechanism
No install spec is provided (instruction/code bundle included). The package is a normal Python project with no external download/install-from-URL steps listed in the manifest. This reduces install-time supply-chain risk compared to remote installers.
Credentials
SKILL.md lists APIFY_API_TOKEN as required and documents bootstrap behavior that uses that token; that is proportionate to live web retrieval via Apify but the registry metadata omitted any required env vars. The code only enforces the token when enable_live_providers is true, so SKILL.md's unconditional 'required: true' is inconsistent. APIFY_API_TOKEN grants the skill (or whoever runs bootstrap) the ability to act against the user's Apify account — treat it as a high-privilege secret. CIVIC_CLIENT_ID and NOTION_PARENT_PAGE_ID are optional and align with host-managed functionality.
Persistence & Privilege
The skill does not request persistent inclusion (always: false). It produces handoff payloads intended for the host to write to Notion or memory; it does not itself modify other skills or system-wide settings in the visible code. Autonomous invocation is allowed (platform default) but is not combined with other high-privilege flags.
What to consider before installing
This skill appears to implement the portfolio briefing it advertises, but there are two things to check before installing: (1) Resolve the metadata mismatch — the registry claims no required env vars while SKILL.md and the README require APIFY_API_TOKEN (and optionally CIVIC_CLIENT_ID/NOTION_PARENT_PAGE_ID). If you do not want the skill to use your Apify account, do not supply APIFY_API_TOKEN or set ENABLE_LIVE_PROVIDERS=false. (2) Audit the retrieval/bootstrap code (apify_bootstrap.py and retrieval adapters) to confirm exactly what network calls and task creation the skill will perform with APIFY_API_TOKEN. Treat APIFY_API_TOKEN as a high-privilege secret (it can create/run tasks and access scraped data). If you rely on host-managed Notion or Redis, confirm the host implements those handoffs and that the skill will not perform direct writes. If unsure, run the package in a local sandbox with live providers disabled and review the output and tests first.Like a lobster shell, security has layers — review code before you run it.
Portfolio-aware daily market briefs with memory and Notion handoffvk97809nb0rftatxtjyfndx5tyd83kqmtlatestvk97frzeenda8havrhqthwex5kh83jzqd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.