ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Congress Trades Tracker

v1.1.4

Track US congress member and politician stock trades in real-time using the Quiver Quant API. Syncs trades to a local SQLite database, detects new significan...

0· 693·0 current·1 all-time
byArm4x@armax
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (track congressional trades via Quiver Quant) aligns with the included script and instructions. However, the registry metadata lists no required environment variables while SKILL.md and scripts/scraper.py both require QUIVER_API_KEY — a metadata inconsistency that should be corrected.
Instruction Scope
SKILL.md and the script stay within scope: they call only the Quiver API, write a local SQLite DB and alert files under the skill's data directory, and instruct cron/OpenClaw pickup. There are no instructions to read unrelated host files or to send data to third-party endpoints beyond api.quiverquant.com.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with a simple Python script that depends on the standard requests package — low install risk.
Credentials
The script legitimately requires a single API key (QUIVER_API_KEY) and optional local-path env vars (CONGRESS_DB_PATH, MIN_TRADE_AMOUNT). This is proportionate to its function, but the registry metadata failing to list QUIVER_API_KEY is an incoherence to surface.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configs. It writes only to its own data/logs paths under the skill directory; autonomous model invocation is allowed but is the platform default.
Assessment
This skill appears to do what it says: poll Quiver Quant, store trades locally, and write alert files for OpenClaw pickup. Before installing: 1) Provide a Quiver API key (QUIVER_API_KEY) via environment — the registry metadata omitted this but both SKILL.md and the script require it. 2) Confirm where the skill will be placed so the created data/ and logs/ directories are acceptable and set restrictive permissions (chmod 700 data/). 3) Ensure the agent environment has Python 3.10+ and the requests package. 4) Review cron scheduling and retention (it writes new_trades.json and a sqlite DB) to avoid unbounded growth. 5) Treat the QUIVER_API_KEY as sensitive (don’t hard-code it; store in a secure secrets store). If you need stronger assurance, ask the publisher to correct the registry metadata to declare QUIVER_API_KEY and provide an origin/homepage for trust verification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ah4ew9a66qc3nr2e28gktd1818tsb
693downloads
0stars
7versions
Updated 3h ago
v1.1.4
MIT-0
Arm4x@armax
latest
Download

Congress Trades Tracker

Monitor US congressional stock trades via Quiver Quant API, store in a local SQLite database, and alert on new significant trades. Requires Python requests library and a Quiver Quant API key.

Requirements

Environment Variables

VariableRequiredDefaultDescription
QUIVER_API_KEYYesQuiver Quant API token
CONGRESS_DB_PATHNodata/congress_trades.dbSQLite database path
MIN_TRADE_AMOUNTNo15001Minimum trade amount to trigger alerts

Set these in your shell profile, .env file, or cron environment. Never hard-code API keys in the script.

Setup

1. Install Python dependency

pip install requests

2. Set your API key

export QUIVER_API_KEY="your-api-key-here"

3. Schedule with user cron (no sudo needed)

Add your env vars to ~/.profile or a .env file sourced by your shell, then add the cron entry:

crontab -e
# Add this line (uses env vars from your profile):
* * * * * . "$HOME/.profile" && /usr/bin/python3 /path/to/scripts/scraper.py >> /path/to/logs/scraper.log 2>&1

Never inline API keys directly in crontab entries.

4. Set up OpenClaw alert pickup

Add to your HEARTBEAT.md:

## Check for congress trade alerts
- Read `congress_trades/data/pending_congress_alert.txt` — if it has content, send the alert to the user, then delete the file.

Or create an OpenClaw cron job (every 5 min) to check and forward alerts.

How It Works

  1. Scraper runs every minute, fetches latest 200 trades from api.quiverquant.com
  2. Inserts into local SQLite with unique trade_key deduplication
  3. First run initializes DB and reports newest trade
  4. Subsequent runs detect new trades, filter to buys/sells above threshold
  5. Writes formatted alert to data/pending_congress_alert.txt for OpenClaw pickup
  6. Keeps last 50 alerts in data/new_trades.json

Network and Data

  • Only outbound connection: api.quiverquant.com (Quiver Quant API)
  • Storage: local SQLite file + JSON alert files in data/
  • No external endpoints besides the Quiver API
  • Restrict file permissions on data directory (chmod 700 data/)

Alert Format

🏛️ 3 new congress trade(s) detected:

🟢 PURCHASE: Nancy Pelosi (D) [Rep]
   $NVDA — $1,000,001 - $5,000,000
   Trade: 2026-02-10 | Reported: 2026-02-14

🔴 SALE: Dan Crenshaw (R) [Rep]
   $MSFT — $15,001 - $50,000
   Trade: 2026-02-09 | Reported: 2026-02-14

Customization

  • MIN_TRADE_AMOUNT: raise/lower via env var to change alert threshold
  • Fetch limit: change limit=200 in fetch_trades() for broader sweeps
  • Cron frequency: reduce to every 5 or 15 minutes if you prefer less polling

Comments

Loading comments...