FinClaw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: finclaw Version: 1.0.0 The OpenClaw FinClaw skill bundle appears benign. It provides financial assistance features like real-time quotes, portfolio tracking, and technical analysis, relying on legitimate third-party financial APIs (Finnhub, Binance, yfinance, FRED, Alpha Vantage, ExchangeRate-API). API keys are expected to be configured by the user in `openclaw.json` and are used only with their respective, known API endpoints. Data is stored locally in an SQLite database (`data/finance.db`), and charts are generated as PNG files in `data/charts`. The `SKILL.md` and other documentation files contain standard instructions for skill setup and usage, with no evidence of prompt injection attempts, unauthorized command execution, data exfiltration to malicious endpoints, or persistence mechanisms beyond the user-initiated `check_alerts.py` cron job.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you add API keys, the skill can use those keys to call finance-data providers.
The skill reads optional market-data API keys from the user's OpenClaw configuration. This is disclosed and fits the finance-data purpose, but users should know credential configuration is accessed.
_CONFIG_PATH = os.path.expanduser("~/.openclaw/openclaw.json") ... _KEY_MAP = {"finnhubApiKey": "FINNHUB_API_KEY", ...}Use read-only/free-tier market-data keys where possible and only add keys you are comfortable using with this skill.
The code installed in the Python environment may change as upstream packages publish new versions.
The Python dependencies are listed without version pins, so installation may pull newer package versions over time. These packages are purpose-aligned for finance data and charting.
yfinance pandas matplotlib mplfinance finnhub-python requests fredapi
Prefer a lockfile or pinned versions for reproducible installs, especially if using the skill for ongoing portfolio tracking.
Your holdings, transaction records, notes, and alerts can remain stored on disk between sessions.
The skill persists portfolio positions, transactions, and alerts in a local SQLite database, which is expected for portfolio tracking but may contain private financial information.
CREATE TABLE IF NOT EXISTS positions ... CREATE TABLE IF NOT EXISTS transactions ... CREATE TABLE IF NOT EXISTS alerts
Treat the skill's data directory as private, avoid entering information you do not want stored locally, and remove the database if you uninstall the skill.
If you schedule it, the skill can keep checking prices and updating alert status after the initial setup.
The alert checker is designed to be scheduled externally, which is a form of user-controlled persistence. The artifacts do not show it installing cron jobs automatically.
"""Cron job: check all active alerts against current prices."""
Only add a cron or scheduler entry deliberately, and remove that schedule if you no longer want background alert checks.