Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
broker-monitor
v1.0.0Generate a weekly monitoring report for US retail brokerage stocks (IBKR, SCHW, HOOD, FUTU) AND the broader trading ecosystem including US equity/options mar...
⭐ 0· 14·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the instructions: the SKILL.md describes gathering market and broker metrics, updating a multi-sheet Excel database, and generating a weekly report. All declared resources (report template, excel schema, metrics lists) are consistent with that purpose; no unrelated credentials, binaries, or install steps are requested.
Instruction Scope
Instructions explicitly direct the agent to search public market data sources and to read/write an Excel file (path: /mnt/user-data/uploads/ and local workbook names). This is coherent for a reporting skill, but you should note the agent is instructed to access user-uploaded files and to create/save updated workbooks (e.g., '券商监控数据库_updated.xlsx'). The SKILL.md also references updating a React dashboard (window.storage API, regenerating JSX constants) which is out-of-band for a pure agent and represents scope creep: it assumes ability to modify web app code or browser storage that may not be available in the runtime.
Install Mechanism
No install spec is provided (instruction-only), which minimizes risk. The runtime examples use openpyxl and Python; that is reasonable for Excel manipulation but the skill does not declare or install openpyxl—if the agent environment lacks it the code paths will fail. No remote downloads, obscure URLs, or package installs are present.
Credentials
The skill requests no environment variables, credentials, or config paths. All external access is to public web sources (Cboe, OCC, CoinGecko, The Block, Dune, etc.). There are no requests for unrelated secrets or elevated access tokens.
Persistence & Privilege
The skill writes persistent artifacts (Excel files) and expects to read user uploads from a specific path. always:false (normal). This persistent read/write behavior is expected for a database-backed reporting workflow, but users should be aware the agent will read any file placed in the stated upload directory and will write updated workbooks to disk.
Assessment
This skill is internally consistent with its reporting purpose, but consider these points before installing:
- The agent will read an Excel file from /mnt/user-data/uploads/ if present and will create/save updated workbooks (e.g., '券商监控数据库_updated.xlsx'). Do not upload sensitive files to that directory unless you trust the skill.
- The instructions expect Python + openpyxl; your runtime may not have that library installed. If it isn't available, report generation or Excel updates may fail.
- The SKILL.md also mentions browser-facing dashboard actions (window.storage, regenerating JSX). Those steps require access to your dashboard code or browser environment and are not automatically performed by a normal agent — treat those as manual developer tasks rather than autonomous actions the skill will take.
- The skill performs web searches against public data sources (Cboe, OCC, CoinGecko, Dune, The Block). It does not request API keys, but some dashboards (Dune/theblock premium endpoints) may require credentials; the skill does not provide a mechanism for handling authorized API access.
- If you proceed, verify output filenames and review any files the agent writes. If you prefer limiting file exposure, avoid placing unrelated documents in the upload directory and restrict directory permissions.
If you want, I can list the exact places in SKILL.md where the agent will read/write files or require openpyxl, or suggest a minimal checklist to safely run this skill in your environment.Like a lobster shell, security has layers — review code before you run it.
latestvk975d8mbrnc48m93207tfn08wh84eqcp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.