ClawHub

public-dot-com

v0.1.5

Interact with your Public.com brokerage account using the Public.com API. Able to view portfolio, get stock quotes, place trades, and get account updates. To create a Public.com account head to public.com/signup.

7· 2.4k·0 current·0 all-time
bypublic-dot-com@tarricsookdeo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a Public.com API client (portfolio, quotes, orders, options workflows) which aligns with the skill description. However the registry metadata (as provided) claims no required env vars/config paths while the SKILL.md and scripts clearly require a PUBLIC_COM_SECRET and optionally PUBLIC_COM_ACCOUNT_ID and read/write a secure file under ~/.openclaw/workspace/.secrets — this metadata mismatch is an incoherence that should be explained by the publisher.
Instruction Scope
Runtime instructions are narrowly scoped to interacting with the Public.com API via the included Python scripts. They instruct the agent to prompt for an API secret and persist it via 'openclaw config set' into the secure-file path. This is expected for a brokerage integration, but the instructions do cause long-lived storage of credentials which expands the skill's persistence surface.
Install Mechanism
There is no formal install spec in the registry, but the Python scripts auto-install the publicdotcom-py dependency using subprocess pip install on ImportError and a requirements.txt references publicdotcom-py. Auto-installing from PyPI at runtime is common but has higher operational risk than an instruction-only skill because it writes to disk and executes newly installed code; the package name appears expected for a Public.com SDK but you should verify the PyPI project and upstream repo are trustworthy.
!
Credentials
The skill legitimately needs a brokerage API secret and (optionally) an account id. Those credentials are requested and used. However the registry metadata claims no required environment variables or config paths while SKILL.md and the scripts use PUBLIC_COM_SECRET, PUBLIC_COM_ACCOUNT_ID and a specific secure-file path (~/.openclaw/workspace/.secrets/*). This discrepancy is a coherence issue and the presence of persistent secure-file storage for the secret increases the blast radius if the host or skill is compromised.
Persistence & Privilege
The skill does persist the API secret via the OpenClaw config/secure file and instructs users how to set a default account id; it does not request 'always: true' nor attempt to modify other skills or system-wide settings. The persistence is limited to storing its own credentials/config — expected for a long-running brokerage integration but something to be aware of.
What to consider before installing
Before installing or enabling this skill: - Verify the metadata: the registry entry claims no required env vars/config paths, but the skill uses PUBLIC_COM_SECRET and may write that secret to ~/.openclaw/workspace/.secrets/public_com_secret.txt. Ask the publisher to explain/fix the metadata mismatch. - Review the dependency: the scripts auto-install publicdotcom-py via pip at runtime. Confirm the PyPI package and the GitHub repo (SKILL.md points to https://github.com/PublicDotCom/claw-skill-public-dot-com) are legitimate before allowing install. - Treat the API secret as sensitive: consider creating a restricted/read-only API key if Public.com supports it, or test with a throwaway account first. If you must provide a full trading key, be aware the skill will persist it to disk in the OpenClaw workspace and could be used to place trades. - Audit automation examples: the included 'options-automation-library' contains multi-leg and automated trading examples. Do not enable autonomous execution or automatic order placement unless you fully trust the code and understand the behavior. - Operationally: run this skill in an isolated environment, inspect the code yourself (or have someone you trust do so), and be prepared to revoke the API key immediately if anything unexpected happens. If you need further help: ask for a checklist of lines/files to inspect or guidance on verifying the publicdotcom-py package and GitHub repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97em5z32dhck53xth2d5h5xsd80zc04

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments