Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Finnhub Skill
v0.2.0Read-only market data skill for Finnhub. Use when the user wants stock, forex, crypto, company profile, candles/K-lines, news, earnings, or economic calendar...
⭐ 0· 63·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description claim read-only Finnhub access which matches the code and SKILL.md. However, the registry metadata declares no required environment variables or primary credential while SKILL.md and scripts clearly require FINNHUB_API_KEY (and optionally FINNHUB_BASE_URL). The missing declared credential is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to use the bundled Python script for read-only queries, to require FINNHUB_API_KEY, and to restrict the base URL to the official Finnhub domain. The instructions do not ask for unrelated files, secrets, or external endpoints and explicitly forbid non-Finnhub hosts.
Install Mechanism
There is no install spec (instruction-only behavior) and the included Python script is bundled in the repo. No external downloads or package installs are required, which keeps install risk low.
Credentials
The code and SKILL.md require FINNHUB_API_KEY (and optionally FINNHUB_BASE_URL) but the skill metadata lists no required env vars or primary credential — this mismatch is suspicious because it hides that a secret is required. The script sends the API key as a query parameter (standard for this API) and attempts to redact query tokens from error text, but the redact implementation only looks for 'token=...' patterns and might not catch other exposures (e.g., token in JSON or nonstandard error formats).
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. It can be invoked autonomously (default platform behavior), which is normal but worth noting since it will be able to make live Finnhub requests when given an API key.
What to consider before installing
This skill's behavior (read-only Finnhub access) and included Python client are consistent, but the registry metadata failing to declare FINNHUB_API_KEY and a primary credential is a red flag. Before installing: 1) confirm you are comfortable supplying your Finnhub API key to this skill and that the key has only the necessary permissions; 2) ask the publisher or update the metadata so FINNHUB_API_KEY is listed as the primary credential; 3) review the bundled scripts yourself (they are small) to ensure no hidden endpoints; 4) do not set FINNHUB_BASE_URL to an arbitrary host — only use the official Finnhub domain; 5) be aware the skill can be invoked autonomously by agents (default) — if you do not want that, disable autonomous invocation. These steps will reduce the risk of accidental credential exposure or unexpected network calls.Like a lobster shell, security has layers — review code before you run it.
latestvk9795vfb3efjvvjvdtqp9fteqn83wpxs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.