Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Charts
v1.1.0Generate 90-day candlestick charts with SMA 20/50, RSI, Fibonacci retracements, and pattern detection for BTC, ETH, XRP, SUI, Gold, and Silver.
⭐ 0· 1k·15 current·16 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill promises to 'use the local crypto_charts.py module' and exposes many functions (generate_all_charts, fetch_yfinance, etc.), but the published bundle contains no code files — only SKILL.md and metadata. A consumer installing this skill would not get the required module, so the instructions cannot be executed as-is. That mismatch suggests either missing code (sloppy packaging) or reliance on an external, implicit file not provided by the skill.
Instruction Scope
Runtime instructions tell the agent to execute Python snippets that import crypto_charts.py, write files under ~/clawd/charts, call external data sources (Yahoo Finance, CoinGecko), and then use a platform 'message' command to send charts to Telegram with a specific hard-coded target ("7887978276"). The hard-coded recipient is a direct privacy/exfiltration risk if executed automatically. The instructions assume local files and messaging capabilities that are not declared or sandboxed.
Install Mechanism
There is no install spec (instruction-only), so the skill itself does not drop or run code on install — that limits immediate installer risk. However, because the instructions expect a local crypto_charts.py module that is not included, the skill as-published is incomplete. The lack of an install step means nothing from the skill will be written to disk, but execution of the described commands will still rely on external code/resources the user must already have.
Credentials
The skill requests no environment variables or credentials (proportionate). It does reference external services (Yahoo Finance, CoinGecko) that normally require no keys. However, it also instructs sending images via Clawdbot's 'message' command to a specific Telegram target; no credentials are declared for that capability and the hard-coded recipient is suspicious because it would transmit generated charts to an external actor without explicit user consent.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence, does not modify other skills or system-wide settings, and is user-invocable only. It does assume access to the agent's messaging facility, which is typical, but that access is not explicitly declared in the skill metadata.
Scan Findings in Context
[no_regex_findings] unexpected: The static scanner found no code to analyze because this is an instruction-only skill (only SKILL.md and _meta.json present). That absence is inconsistent with the SKILL.md which references a local crypto_charts.py module — the scanner could not validate that module because it wasn't included.
What to consider before installing
Do not run the provided Python commands or the 'message' snippet until you verify what will actually execute. Specific actions to take before installing or using: 1) Confirm whether you already have a trusted crypto_charts.py in ~/clawd; if not, treat the skill as incomplete — ask the publisher for the missing code or a proper install package. 2) Audit the crypto_charts.py source (if provided) for network calls, hidden endpoints, or code that reads unrelated files. 3) Remove or change the hard-coded Telegram target ("7887978276") — it will send generated charts to that recipient if executed. 4) Run the scripts in an isolated environment first (sandbox/container) and monitor network traffic and outgoing messages. 5) If you need messaging, verify that your platform's messaging action uses your account and explicit consent; do not rely on undocumented recipient targets. These inconsistencies likely indicate sloppy packaging or risk of unintended data exfiltration; verify code provenance before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk973z07k4ktsb8jh80pzedhfv581eh5h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.