ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

alphaear-sentiment

v1.0.0

Analyze finance text sentiment using FinBERT or LLM. Use when the user needs to determine the sentiment (positive/negative/neutral) and score of financial te...

0· 5·0 current·0 all-time
by@zhouzhonglu8-png
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (financial sentiment via FinBERT or LLM) aligns with the code: there are BERT-based pipelines, DB storage, and helper methods for LLM-driven analysis. However, the SKILL.md lists only torch, transformers, and sqlite3 as dependencies and declares no environment variables, while the code contains references to many LLM provider keys and other libs (pandas, loguru, dotenv, agno models). This mismatch suggests the manifest underreports what the skill actually needs.
!
Instruction Scope
SKILL.md instructs the Agent to run an LLM prompt and optionally save results to the local SQLite DB. The code will initialize/load models, potentially download BERT models from the network, and the LLM factory/router will use environment-configured providers (openai/ollama/deepseek/dashscope/openrouter/zai/ust). The code also loads .env via dotenv in the router, meaning it will attempt to pull config from disk. These behaviors are within a sentiment skill's possible needs but the instructions do not declare or explain the full set of env vars/read operations, giving the agent broad discretion to contact external LLM endpoints and to read .env files.
Install Mechanism
There is no install spec (instruction-only), so nothing will be explicitly installed by the registry. But the code depends on many Python packages (torch, transformers, pandas, loguru, dotenv, agno model connectors) and may download large BERT model artifacts at runtime. Lack of an install specification and missing declared requirements means the runtime may attempt network downloads or fail unexpectedly.
!
Credentials
The skill declares no required env vars, yet factory/router/capability code references multiple provider-specific API keys and host variables (DEEPSEEK_API_KEY, DASHSCOPE_API_KEY, OPENROUTER_API_KEY, ZAI_KEY_API, UST_KEY_API, UST_URL, LLM_PROVIDER, REASONING_MODEL_ID, etc.). The router also loads a .env file. Requiring access to arbitrary LLM provider keys is reasonable for LLM mode, but these credentials should be declared and minimized in the manifest — their absence is a proportionality/information gap that prevents informed consent.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The code creates/writes a local SQLite DB at data/signal_flux.db by default (and will write meta_data.json fields). Writing local DB is consistent with the functionality, but users should know where data is stored. The skill does not request global agent persistence or modify other skills' configurations.
What to consider before installing
Key things to consider before installing: - Missing declarations: The SKILL.md lists only torch/transformers/sqlite3 and declares no env vars, but the code expects many additional Python packages (pandas, loguru, python-dotenv, agno model connectors) and multiple LLM provider API keys (DEEPSEEK_API_KEY, DASHSCOPE_API_KEY, OPENROUTER_API_KEY, ZAI_KEY_API, UST_KEY_API, UST_URL, etc.). Ask the publisher to provide a complete requirements list and clearly declare required environment variables. - Network and downloads: If BERT is not available locally the skill will download models from the network (potentially large). LLM provider code will send text to external endpoints if configured — this is expected for LLM analysis but you should confirm which providers will be used and whether you permit sending financial text to them. - .env usage: The router loads a .env file. That can expose environment variables from disk into the skill process; ensure any .env in the working directory does not contain unrelated secrets you don't want the skill to access. - Data storage: The skill writes a SQLite DB (default path data/signal_flux.db) and updates meta_data fields. Confirm this storage location is acceptable and that sensitive inputs won't be accidentally persisted. - Code issues / tests: There are a few internal inconsistencies (e.g., an import path in router referencing utils.llm.capability while capability.py is in scripts/llm; truncated or malformed strings in the database_manager file snippet) that suggest the package may not run as-is. Request corrected code, a full dependency file (requirements.txt or pyproject), and a manifest of required environment variables. - Run in sandbox: Until clarified, run the skill in an isolated environment (no access to production secrets) to observe network calls and model downloads. If the publisher provides a complete dependency list and explicit env var declarations and fixes the import/formatting issues, the skill appears coherent for its stated purpose. As-is, the underreporting of external credentials/dependencies and a few code inconsistencies make it suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk9715xt1h38kqz4aazsgezxbz9840mcm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AlphaEar Sentiment Skill

Overview

This skill provides sentiment analysis capabilities tailored for financial texts, supporting both FinBERT (local model) and LLM-based analysis modes.

Capabilities

Capabilities

1. Analyze Sentiment (FinBERT / Local)

Use scripts/sentiment_tools.py for high-speed, local sentiment analysis using FinBERT.

Key Methods:

  • analyze_sentiment(text): Get sentiment score and label using localized FinBERT model.
    • Returns: {'score': float, 'label': str, 'reason': str}.
    • Score Range: -1.0 (Negative) to 1.0 (Positive).
  • batch_update_news_sentiment(source, limit): Batch process unanalyzed news in the database (FinBERT only).

2. Analyze Sentiment (LLM / Agentic)

For higher accuracy or reasoning capabilities, YOU (the Agent) should perform the analysis using the Prompt below, calling the LLM directly, and then update the database if necessary.

Sentiment Analysis Prompt

Use this prompt to analyze financial texts if the local tool is insufficient or if reasoning is required.

请分析以下金融/新闻文本的情绪极性。
返回严格的 JSON 格式:
{"score": <float: -1.0到1.0>, "label": "<positive/negative/neutral>", "reason": "<简短理由>"}

文本: {text}

Scoring Guide:

  • Positive (0.1 to 1.0): Optimistic news, profit growth, policy support, etc.
  • Negative (-1.0 to -0.1): Losses, sanctions, price drops, pessimism.
  • Neutral (-0.1 to 0.1): Factual reporting, sideways movement, ambiguous impact.

Helper Methods

  • update_single_news_sentiment(id, score, reason): Use this to save your manual analysis to the database.

Dependencies

  • torch (for FinBERT)
  • transformers (for FinBERT)
  • sqlite3 (built-in)

Ensure DatabaseManager is initialized correctly.

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…