ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Finance News Briefings

v1.0.1

Market news briefings with AI summaries. Use when asked about stock news, market updates, portfolio performance, morning/evening briefings, financial headlines, or price alerts. Supports US/Europe/Japan markets, WhatsApp delivery, and English/German output.

10· 7.7k·41 current·45 all-time
by@kesslerio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared skill purpose (market news briefings) matches the repository contents (RSS fetchers, summarizers, delivery workflows). However the registry metadata lists no required env vars or binaries while README/SKILL.md and scripts clearly assume use of external CLIs (openclaw, lobster), and environment variables like FINANCE_NEWS_TARGET and FINANCE_NEWS_CHANNEL. That mismatch (no declared requirements but the code expects delivery targets and CLI tools) is incoherent and could surprise users.
!
Instruction Scope
Runtime docs and cron scripts instruct the agent to read/write local config files (config/config.json, config/portfolio.csv), schedule cron jobs, and run Lobster/OpenClaw workflows that send messages. The docs also include an explicit procedure to export browser session cookies into config/cookies.json to fetch paywalled content — this requires copying session tokens (sensitive data) from your browser into a local file. The SKILL.md and included docs therefore ask for potentially sensitive data and to perform system changes (cron entries, message sends) outside simple summarization.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the bundle includes many code files, Dockerfile, and Python scripts. README recommends Docker or native Python install (venv + pip). No remote download URLs or archive extracts are used here, which lowers install risk, but you should still inspect and/or run inside an isolated container before giving it network or messaging permissions.
!
Credentials
Registry metadata declares no required environment variables, yet scripts and README rely on FINANCE_NEWS_TARGET, FINANCE_NEWS_CHANNEL, and SKILL_DIR. The cron scripts provide a default FINANCE_NEWS_TARGET value (a WhatsApp group JID: 120363421796203667@g.us) if the variable is unset — that default target could cause messages to be sent to an external group unintentionally. The docs also advise creating config/cookies.json containing session tokens for premium sources — storing browser cookies locally is sensitive and not justified for most users. Overall requested/assumed environment access is underdeclared relative to the code and docs.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. However its instructions and cron scripts encourage adding scheduled jobs (crontab or openclaw cron) and running Lobster workflows that will automatically send briefings. That means once installed and configured, it can persistently send messages on a schedule (normal for this use case) — users should be explicit about cron additions and the delivery target before enabling automation.
What to consider before installing
Before installing or enabling this skill: 1) Inspect the code (scripts/fetch_news.py, scripts/briefing.py, cron/*.sh, workflows/*). Look for any hardcoded endpoints or default targets and remove or change them. 2) Do not rely on the registry metadata alone — set FINANCE_NEWS_TARGET and FINANCE_NEWS_CHANNEL to safe values you control before running any cron/workflow. The cron scripts default to a WhatsApp group JID; change that default or export explicit values to avoid accidental message sends. 3) Avoid following the premium-sources cookie export unless you understand the risk: copying browser session cookies into config/cookies.json grants the skill full access to your account and should only be used if you trust the code and host it locally in a secure environment. 4) Run the skill inside an isolated environment (Docker or dedicated VM) and review network activity if possible. 5) If you plan to enable scheduled briefings, first run one-off commands manually to verify outputs and delivery. 6) If you are not comfortable auditing code, prefer using free sources only (as recommended in docs) and avoid adding cookie-based premium sources or automatic cron jobs. These checks will reduce the risk of unintended data exposure or message delivery.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e53by63nbjbn5ebx075652180dac3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments