FinClaw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you add API keys, the skill can use those keys to call finance-data providers.
The skill reads optional market-data API keys from the user's OpenClaw configuration. This is disclosed and fits the finance-data purpose, but users should know credential configuration is accessed.
_CONFIG_PATH = os.path.expanduser("~/.openclaw/openclaw.json") ... _KEY_MAP = {"finnhubApiKey": "FINNHUB_API_KEY", ...}Use read-only/free-tier market-data keys where possible and only add keys you are comfortable using with this skill.
The code installed in the Python environment may change as upstream packages publish new versions.
The Python dependencies are listed without version pins, so installation may pull newer package versions over time. These packages are purpose-aligned for finance data and charting.
yfinance pandas matplotlib mplfinance finnhub-python requests fredapi
Prefer a lockfile or pinned versions for reproducible installs, especially if using the skill for ongoing portfolio tracking.
Your holdings, transaction records, notes, and alerts can remain stored on disk between sessions.
The skill persists portfolio positions, transactions, and alerts in a local SQLite database, which is expected for portfolio tracking but may contain private financial information.
CREATE TABLE IF NOT EXISTS positions ... CREATE TABLE IF NOT EXISTS transactions ... CREATE TABLE IF NOT EXISTS alerts
Treat the skill's data directory as private, avoid entering information you do not want stored locally, and remove the database if you uninstall the skill.
If you schedule it, the skill can keep checking prices and updating alert status after the initial setup.
The alert checker is designed to be scheduled externally, which is a form of user-controlled persistence. The artifacts do not show it installing cron jobs automatically.
"""Cron job: check all active alerts against current prices."""
Only add a cron or scheduler entry deliberately, and remove that schedule if you no longer want background alert checks.