Investing
v1.0.0Personal investing assistant for Lithuanian investors. Monitors markets, ETFs, crypto, pension funds (III pakopa), and provides monthly investment suggestions based on research and market conditions.
⭐ 0· 912·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included scripts and guidance (ETF/crypto monitoring, DCA). However the packaged shell scripts require common CLI tools (curl, jq, bc) that are not declared in the metadata. The SKILL.md mentions executing trades via brokers but the skill provides no code, instructions, or declared env vars for broker API credentials — this is ambiguous and could mislead users about autonomous trading capability.
Instruction Scope
Runtime instructions direct the agent to run the included scripts, scan specific websites (local and international finance sites, Reddit), and to 'execute trades' via named brokers. The skill does not instruct reading local secrets or files, but it references updating a portfolio spreadsheet without specifying storage/location. The 'execute trades' step is vague: no broker APIs, credential handling, or automated trade logic is included, so it's unclear whether trade execution is expected to be manual or automated.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts), so nothing is downloaded or installed automatically. The two included shell scripts are plain text and call well-known public endpoints (Yahoo Finance, CoinGecko).
Credentials
The skill declares no required environment variables, but it implicitly needs command-line tools (curl, jq, bc) to run the scripts. More importantly, the workflow calls for executing trades via Interactive Brokers / Bitstamp / Kraken but the skill requests no broker credentials and provides no mechanism for safe credential use — this is an unaddressed gap that could lead a user to supply credentials in an insecure way or expect the agent to have capabilities it lacks.
Persistence & Privilege
always:false and no system-wide config changes are requested. The SKILL.md suggests cron-style scheduled agent turns (daily/monthly reminders). Autonomous invocation is allowed by default (normal), so if scheduled jobs are registered by the platform the agent could run checks automatically — that increases operational risk only if you grant it broker credentials or otherwise enable automated trading.
What to consider before installing
This skill appears to do what it says (market checks and DCA suggestions) but has some inconsistencies you should resolve before use: 1) The included scripts require curl, jq and bc; ensure those are present and inspect the scripts locally. 2) The workflow mentions executing trades via brokers but the skill provides no API integration or credential handling — do NOT provide exchange/broker API keys to the skill unless you understand how they will be stored and used. 3) Scheduled cron-like agent turns could make the agent run actions automatically; if you do not want autonomous checks or potential automated trades, disable autonomous invocation or remove scheduled jobs. 4) Test the scripts manually on your machine to confirm outputs and network endpoints (Yahoo/Coingecko) and verify no unexpected endpoints are contacted. Additional information that would raise confidence: a declared list of required binaries, explicit handling/storage policy for broker API keys, and a verified publisher/homepage or source repository.Like a lobster shell, security has layers — review code before you run it.
latestvk97fa44c6gkknwjwygtgckme15813mah
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis