Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
gold-radar
v1.0.0Real-time gold price monitoring and investment decision support system. Use when users ask about gold prices, gold investment analysis, market trends for pre...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the stated purpose (gold monitoring and investment support). However, the skill's workflows refer to real-time data feeds, executing trading decisions, and a local config.json for user profile/watchlist, yet the package declares no required environment variables, no config paths, and there is no config.json in the file manifest. Real-time monitoring and automated trading would normally require API keys, broker credentials, or at least a documented integration; their absence is inconsistent with the claimed functionality.
Instruction Scope
SKILL.md explicitly instructs the agent to 'Check config.json' and to 'execute trading decisions' on certain alerts. It also references fetching or prioritizing multiple external data sources (Bloomberg/TradingView/SGE/Twitter) but provides no concrete endpoints, auth requirements, or limits. The instructions are vague in places (e.g., 'execute trading decisions') and direct the agent to access a local config that is not declared or supplied — scope creep and an unclear runtime surface.
Install Mechanism
There is no install specification (instruction-only), which is low-risk. However, repository files include package.json and a large package-lock.json listing dependencies (notably 'clawhub'), despite no install instructions or code files. This is inconsistent: either the skill was intended to include runnable code or the package files are leftover. The presence of a package-lock implies Node packages could be required if the author intended code to run, but no install mechanism is provided.
Credentials
The skill declares no required environment variables or primary credential, yet its workflows imply access to live market feeds and the ability to place trades/notifications. Those operations normally require credentials (market data APIs, broker APIs, notification/webhook endpoints). The lack of declared secrets or config paths is disproportionate to the claimed automated capabilities and increases the chance the agent will (a) attempt unsupported actions or (b) ask the user for sensitive credentials ad hoc.
Persistence & Privilege
The skill is not set to always: true and is user-invocable with normal autonomous invocation allowed. There is no install spec writing persistent components or modifying other skills. From a persistence/privilege standpoint this is standard and not elevated.
What to consider before installing
This skill's text promises real-time monitoring and even automated trading, but the package contains no runnable code or install instructions and there is no config.json or declared API/broker credentials. Before installing or enabling it: 1) Ask the publisher for the source/homepage and a clear integration plan (which APIs/brokers, required env vars, where config.json should live). 2) Do not provide broker API keys or other secrets until you confirm how and where they will be stored and used. 3) If you only want analysis (not execution), require the skill to be read-only and explicitly disable any autonomous trade execution. 4) If you plan to rely on real-time data, insist on documented, auditable data endpoints and credentials rather than ad-hoc web-scraping or asking you to paste tokens. 5) Consider declining installation until the author removes the ambiguity around executing trades, supplies the missing config, or provides a verifiable code package and homepage. If you need help formulating questions to ask the author, I can draft them.Like a lobster shell, security has layers — review code before you run it.
latestvk9778dw7dp7qd8vfgvc0qfm3md83gwte
License
MIT-0
Free to use, modify, and redistribute. No attribution required.