ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

etf-finance

v1.1.0

ETF and fund portfolio manager with price alerts, profit/loss tracking, and position management. Track your ETF/fund holdings, calculate gains/losses, set pr...

0· 527·0 current·0 all-time
by@popwho
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (ETF portfolio manager, alerts, P/L) match the included scripts: add/remove/list positions and alerts, price lookups (Yahoo + Tencent). No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md directs the agent/user to run the included local Python scripts and optionally add a cron job to run check_alerts.py. All file reads/writes are confined to the stated data directory (~/.clawdbot/etf_investor). External network calls are only to expected price data sources (Tencent qt.gtimg.cn and Yahoo via yfinance).
Install Mechanism
There is no registry install spec, but an install.sh is included and documented. install.sh runs pip3 install --user yfinance (and a fallback), which pulls from PyPI; no arbitrary URL downloads or extracted archives. Minor inconsistency: README claims a Python virtualenv is created, but install.sh does not create one (it installs into user site-packages).
Credentials
The skill requests no environment variables or credentials. It stores data locally under ~/.clawdbot/etf_investor and modifies only its own files. The config.py attempts to add a venv site-packages path to sys.path if present — this is reasonable given optional venv use.
Persistence & Privilege
always is false and the skill does not request elevated privileges or modify other skills or system-wide config. It creates and deletes its own data directory during install/uninstall and makes its scripts executable.
Assessment
This skill appears to do what it says: local portfolio tracking, alerts, and price lookups via Tencent Finance and Yahoo (yfinance). Before installing: 1) Review and optionally run the scripts in an isolated environment (or container) because install.sh will pip-install yfinance into your user Python environment. 2) Note a documentation mismatch: README mentions creating a virtualenv but install.sh does not — if you prefer isolation, create and activate a venv yourself before installing. 3) Be aware check_alerts.py is intended to be run periodically (cron) and prints alerts to stdout only (no push notifications). 4) There are minor functional bugs (e.g., check_alerts.py reuses load_alerts() for positions and README mentions an update_position script that is missing); these are implementation issues, not covert behavior. 5) If you store real trade or sensitive info, back up ~/.clawdbot/etf_investor and inspect file permissions. If you want higher assurance, run the install in a disposable account or virtual environment and review network traffic to confirm only expected finance endpoints are contacted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767nv4hsmxhybzckcp7sff4581skmk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments