Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims market follow‑up, personal bill synchronization, transaction exports and trust/legal guidance. However, there are no declared APIs, environment variables, or install steps to access market data, bank/accounting data, or legal databases. The functionality described would normally require external connectors and credentials that are not requested or documented.
Instruction Scope
SKILL.md is vague: it states 'sub‑hour sync with markets and personal bills' and promises exports of transaction histories, but gives no concrete instructions about data sources or where/how data is obtained. That vagueness grants broad discretion and implies actions (fetching personal financial data) that are not specified or constrained.
Install Mechanism
Instruction‑only skill with no install spec or code files — lowest installation risk. Nothing will be written to disk by an installer because none is provided.
Credentials
No environment variables, credentials, or config paths are declared despite features that normally require access tokens (bank APIs, market data feeds, bookkeeping services). The absence of declared credentials is inconsistent with the claimed capabilities and should be clarified.
Persistence & Privilege
always is false and the skill does not request persistent/system‑level presence or to modify other skills. Autonomous invocation is allowed (platform default) but not by itself risky here.
What to consider before installing
Before installing or using this skill, ask the author to explain exactly how it obtains market prices, personal bill/transaction data, and where exported statements are stored. Do not paste real bank account numbers, full statements, or other sensitive financial/identity data into chat unless you trust the connector and understand its storage/retention policy. Request a list of required API keys or OAuth connectors and the exact endpoints used; if the skill will integrate with your accounts it should explicitly declare and document those credentials and permissions. If you need legal or tax advice, prefer licensed professionals — treat this skill as informational unless the author provides verifiable integrations and liability disclaimers.Like a lobster shell, security has layers — review code before you run it.
latestvk97d9f512c0nrjzgjpr4m07965837w57
License
MIT-0
Free to use, modify, and redistribute. No attribution required.