ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Analysis

Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock sco...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 29 · 0 current installs · 0 all-time installs
by@nidhov01
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The repository contains a large Python-based analysis tool (many scripts) that matches the stated purpose (Yahoo Finance-based analysis, hot scanner, watchlists, portfolio). However the declared runtime requirement is only a single binary 'uv' (installed via a brew formula), while most scripts are Python and are also run with python3 in the docs. Requiring 'uv' for a Python CLI wrapper is unusual but plausible if 'uv' is a runner; it's worth verifying the brew formula before installing.
!
Instruction Scope
SKILL.md and docs instruct users to obtain Twitter/X auth by extracting browser cookies (AUTH_TOKEN and CT0) and explicitly recommend granting Terminal 'Full Disk Access' on macOS to read browser state. Those steps request access to highly sensitive data (browser cookies) and broaden the skill's runtime privileges beyond what is needed for stock analysis. The docs also suggest cron jobs and writing logs (including /var/log/hot_scanner.log), and reference storing portfolios/watchlists under the user's home directory — this scope of file access and instructions to harvest cookies are concerning.
Install Mechanism
The only formal install spec is a brew formula for 'uv'. No remote downloads, archives, or obscure URLs are present in the install spec, which is lower risk than arbitrary URL installs. That said, 'uv' is not a commonly-known Python runtime and you should inspect the brew formula to confirm what it installs and whether it runs arbitrary code or downloads further artifacts.
!
Credentials
The registry metadata declares no required environment variables, but the documentation and scripts clearly reference multiple optional secrets (Twitter/X tokens AUTH_TOKEN & CT0 for bird CLI, possible webhook tokens for Feishu/Telegram/other notifications). Those optional credentials are not declared in requires.env. Instructions that encourage extracting browser cookies to populate these env vars are disproportionate and risky. Also the project references an SEC identity email and suggests EDGAR calls; these are less sensitive but indicate external-data queries that may require contact info or rate-limit handling.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It does persist user data into ~/.clawdbot/skills/stock-analysis (portfolios.json, watchlist.json) and suggests cron automation and log files (including /var/log paths). Storing tokens in .env or adding cron jobs increases persistence and blast radius if credentials are present. Autonomous invocation (model invocation enabled) is the platform default; combined with the other concerns (cookie extraction, undeclared secrets) that raises the potential impact.
What to consider before installing
This skill largely implements what it claims (stock/crypto analysis, hot scanner, watchlists), but there are red flags you should consider before installing: - Do not grant Full Disk Access or copy browser cookies just to enable Twitter features. Instead, prefer creating API credentials via official developer access if you need social data; copying cookies is risky and can expose other accounts. - Inspect the 'uv' brew formula before installing. Confirm it is the tool you expect (or run the Python scripts directly with python3 in a controlled environment). - The repository references optional notification integrations (Feishu, Telegram, etc.) but does not declare required env vars — check each script for where it expects tokens and where it would send data (webhook URLs). Avoid putting secrets in plaintext .env files in your home directory. - Run the code in an isolated environment (VM or container) and audit outgoing network calls before giving it persistent access or cron jobs. Monitor what endpoints the scripts contact and ensure they are legitimate (Yahoo, CoinGecko, Google News, SEC, approved APIs). - If you only need basic analysis, run scripts without optional integrations (use --no-social / --fast flags) to avoid the parts that require extra credentials. If you want, I can: (1) show the specific files that attempt to read environment variables or cookies, (2) help inspect the brew formula for 'uv', or (3) produce a short checklist to harden running this skill (containerization, least-privilege, secrets handling).

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk970d8y1779wrxj2zr0qn4sqx58313gh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsuv

Install

Install uv (brew)
Bins: uv
brew install uv

SKILL.md

Stock Analysis v6.1

Analyze US stocks and cryptocurrencies with 8-dimension analysis, portfolio management, watchlists, alerts, dividend analysis, and viral trend detection.

What's New in v6.2

  • 🔮 Rumor Scanner — Early signals before mainstream news
    • M&A rumors and takeover bids
    • Insider buying/selling activity
    • Analyst upgrades/downgrades
    • Twitter/X "hearing that...", "sources say..." detection
  • 🎯 Impact Scoring — Rumors ranked by potential market impact

What's in v6.1

  • 🔥 Hot Scanner — Find viral stocks & crypto across multiple sources
  • 🐦 Twitter/X Integration — Social sentiment via bird CLI
  • 📰 Multi-Source Aggregation — CoinGecko, Google News, Yahoo Finance
  • Cron Support — Daily trend reports

What's in v6.0

  • 🆕 Watchlist + Alerts — Price targets, stop losses, signal changes
  • 🆕 Dividend Analysis — Yield, payout ratio, growth, safety score
  • 🆕 Fast Mode--fast skips slow analyses (insider, news)
  • 🆕 Improved Performance--no-insider for faster runs

Quick Commands

Stock Analysis

# Basic analysis
uv run {baseDir}/scripts/analyze_stock.py AAPL

# Fast mode (skips insider trading & breaking news)
uv run {baseDir}/scripts/analyze_stock.py AAPL --fast

# Compare multiple
uv run {baseDir}/scripts/analyze_stock.py AAPL MSFT GOOGL

# Crypto
uv run {baseDir}/scripts/analyze_stock.py BTC-USD ETH-USD

Dividend Analysis (NEW v6.0)

# Analyze dividends
uv run {baseDir}/scripts/dividends.py JNJ

# Compare dividend stocks
uv run {baseDir}/scripts/dividends.py JNJ PG KO MCD --output json

Dividend Metrics:

  • Dividend Yield & Annual Payout
  • Payout Ratio (safe/moderate/high/unsustainable)
  • 5-Year Dividend Growth (CAGR)
  • Consecutive Years of Increases
  • Safety Score (0-100)
  • Income Rating (excellent/good/moderate/poor)

Watchlist + Alerts (NEW v6.0)

# Add to watchlist
uv run {baseDir}/scripts/watchlist.py add AAPL

# With price target alert
uv run {baseDir}/scripts/watchlist.py add AAPL --target 200

# With stop loss alert
uv run {baseDir}/scripts/watchlist.py add AAPL --stop 150

# Alert on signal change (BUY→SELL)
uv run {baseDir}/scripts/watchlist.py add AAPL --alert-on signal

# View watchlist
uv run {baseDir}/scripts/watchlist.py list

# Check for triggered alerts
uv run {baseDir}/scripts/watchlist.py check
uv run {baseDir}/scripts/watchlist.py check --notify  # Telegram format

# Remove from watchlist
uv run {baseDir}/scripts/watchlist.py remove AAPL

Alert Types:

  • 🎯 Target Hit — Price >= target
  • 🛑 Stop Hit — Price <= stop
  • 📊 Signal Change — BUY/HOLD/SELL changed

Portfolio Management

# Create portfolio
uv run {baseDir}/scripts/portfolio.py create "Tech Portfolio"

# Add assets
uv run {baseDir}/scripts/portfolio.py add AAPL --quantity 100 --cost 150
uv run {baseDir}/scripts/portfolio.py add BTC-USD --quantity 0.5 --cost 40000

# View portfolio
uv run {baseDir}/scripts/portfolio.py show

# Analyze with period returns
uv run {baseDir}/scripts/analyze_stock.py --portfolio "Tech Portfolio" --period weekly

🔥 Hot Scanner (NEW v6.1)

# Full scan - find what's trending NOW
python3 {baseDir}/scripts/hot_scanner.py

# Fast scan (skip social media)
python3 {baseDir}/scripts/hot_scanner.py --no-social

# JSON output for automation
python3 {baseDir}/scripts/hot_scanner.py --json

Data Sources:

  • 📊 CoinGecko Trending — Top 15 trending coins
  • 📈 CoinGecko Movers — Biggest gainers/losers
  • 📰 Google News — Finance & crypto headlines
  • 📉 Yahoo Finance — Gainers, losers, most active
  • 🐦 Twitter/X — Social sentiment (requires auth)

Output:

  • Top trending by mention count
  • Crypto highlights with 24h changes
  • Stock movers by category
  • Breaking news with tickers

Twitter Setup (Optional):

  1. Install bird: npm install -g @steipete/bird
  2. Login to x.com in Safari/Chrome
  3. Create .env with AUTH_TOKEN and CT0

🔮 Rumor Scanner (NEW v6.2)

# Find early signals, M&A rumors, insider activity
python3 {baseDir}/scripts/rumor_scanner.py

What it finds:

  • 🏢 M&A Rumors — Merger, acquisition, takeover bids
  • 👔 Insider Activity — CEO/Director buying/selling
  • 📊 Analyst Actions — Upgrades, downgrades, price target changes
  • 🐦 Twitter Whispers — "hearing that...", "sources say...", "rumor"
  • ⚖️ SEC Activity — Investigations, filings

Impact Scoring:

  • Each rumor is scored by potential market impact (1-10)
  • M&A/Takeover: +5 points
  • Insider buying: +4 points
  • Upgrade/Downgrade: +3 points
  • "Hearing"/"Sources say": +2 points
  • High engagement: +2 bonus

Best Practice: Run at 07:00 before US market open to catch pre-market signals.

Analysis Dimensions (8 for stocks, 3 for crypto)

Stocks

DimensionWeightDescription
Earnings Surprise30%EPS beat/miss
Fundamentals20%P/E, margins, growth
Analyst Sentiment20%Ratings, price targets
Historical10%Past earnings reactions
Market Context10%VIX, SPY/QQQ trends
Sector15%Relative strength
Momentum15%RSI, 52-week range
Sentiment10%Fear/Greed, shorts, insiders

Crypto

  • Market Cap & Category
  • BTC Correlation (30-day)
  • Momentum (RSI, range)

Sentiment Sub-Indicators

IndicatorSourceSignal
Fear & GreedCNNContrarian (fear=buy)
Short InterestYahooSqueeze potential
VIX StructureFuturesStress detection
Insider TradesSEC EDGARSmart money
Put/Call RatioOptionsSentiment extreme

Risk Detection

  • ⚠️ Pre-Earnings — Warns if < 14 days to earnings
  • ⚠️ Post-Spike — Flags if up >15% in 5 days
  • ⚠️ Overbought — RSI >70 + near 52w high
  • ⚠️ Risk-Off — GLD/TLT/UUP rising together
  • ⚠️ Geopolitical — Taiwan, China, Russia, Middle East keywords
  • ⚠️ Breaking News — Crisis keywords in last 24h

Performance Options

FlagEffectSpeed
(default)Full analysis5-10s
--no-insiderSkip SEC EDGAR3-5s
--fastSkip insider + news2-3s

Supported Cryptos (Top 20)

BTC, ETH, BNB, SOL, XRP, ADA, DOGE, AVAX, DOT, MATIC, LINK, ATOM, UNI, LTC, BCH, XLM, ALGO, VET, FIL, NEAR

(Use -USD suffix: BTC-USD, ETH-USD)

Data Storage

FileLocation
Portfolios~/.clawdbot/skills/stock-analysis/portfolios.json
Watchlist~/.clawdbot/skills/stock-analysis/watchlist.json

Limitations

  • Yahoo Finance may lag 15-20 minutes
  • Short interest lags ~2 weeks (FINRA)
  • Insider trades lag 2-3 days (SEC filing)
  • US markets only (non-US incomplete)
  • Breaking news: 1h cache, keyword-based

Disclaimer

⚠️ NOT FINANCIAL ADVICE. For informational purposes only. Consult a licensed financial advisor before making investment decisions.

Files

26 total
Select a file
Select a file to preview.

Comments

Loading comments…