ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PeerBerry SDK

Use this skill when assisting with FortressQuant's peerberry-sdk for PeerBerry investor automation, P2P lending education, and alternative-investment onboard...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
by@FortressQuant
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, README, and docs consistently describe a PeerBerry Python SDK and methods for read-only and purchase flows — that purpose matches the skill name and description. However, the distributed bundle lacks the package source under src/ (the pyproject exists but the src package files are not present in the manifest), and pyproject.toml declares version 2.0.0 while the registry metadata shows version 1.0.0. This mismatch is an incoherence: the skill expects users to pip-install 'peerberry-sdk' rather than providing the SDK code inline.
Instruction Scope
Instructions are narrowly scoped to PeerBerry account operations (auth, read-only calls, guarded purchase flows). They instruct passing credentials (email/password/tfa_secret) to the SDK (expected). They also document header profile options that accept a filesystem path or env var (peerberry_sdk_HEADER_PROFILE=/path/to/profile.json), which means the SDK can be pointed at arbitrary local JSON files for header injection — this is functionally reasonable but increases the surface for misuse if a user points it at sensitive files. The docs reference tests/.env with PEERBERRY_USERNAME etc., but the skill metadata declares no required env vars — not a direct vulnerability but an inconsistency to note.
!
Install Mechanism
There is no install spec for the skill bundle; the docs instruct users to pip install 'peerberry-sdk'. Because the skill does not include the package implementation (no src/ package files in the manifest), the runtime flow implicitly depends on fetching an external package (PyPI/GitHub). That is a significant coherence gap: an agent using this skill would likely recommend installing an external package whose provenance must be verified. The pyproject lists a dependency on 'cloudscraper', which is plausible but worth verifying. No downloaded URLs or extract steps are included in the skill itself.
Credentials
The skill declares no required environment variables (metadata shows none), which matches the bundle. The SDK documentation expects credentials (email/password/tfa_secret/access_token) to be supplied by the caller — that is expected for an API client. The header_profile_path and peerberry_sdk_HEADER_PROFILE options allow the SDK to read a local JSON file; this capability is reasonable for custom headers but could be abused to load secrets from arbitrary paths if misconfigured. No unrelated credentials (AWS keys, unrelated tokens) are requested.
Persistence & Privilege
The skill does not request persistent/always-loaded privileges (always:false). It contains no install script that would write to system-wide config. The agent would run normally and can autonomously invoke the skill (disable-model-invocation is false), which is the platform default; this is not an additional red flag by itself.
Scan Findings in Context
[no-findings] expected: The static pre-scan reported no regex-based findings. That does not imply safety — many important signals come from instruction content and missing/ambiguous files (see install_mechanism and purpose_capability notes).
What to consider before installing
This skill appears to be documentation and runtime guidance for a PeerBerry Python SDK, but the bundle does not include the actual SDK implementation (no src/ package files were provided) and the packaging metadata/versioning is inconsistent. Before installing or using it: - Do not paste credentials into any public chat. Use local, private execution. - Verify the true source of the package you will install (pip install peerberry-sdk): check PyPI and the GitHub repo referenced in pyproject.toml to ensure you are installing the intended project and version. Confirm author/maintainer identity and read the package code before installing. - Prefer installing into an isolated virtual environment. Inspect the installed package contents (site-packages) after install. - If you plan to run purchase/automation flows, keep DRY_RUN enabled initially and set conservative MAX_ORDERS; test read-only flows first. - The docs allow pointing the SDK at a header profile JSON file (header_profile_path / peerberry_sdk_HEADER_PROFILE). Only use that with files you control; do not point it at system files or shared secrets. What would raise confidence to benign: the skill including the actual src/ implementation, a matching package version and a trusted homepage/repository, or an explicit install spec that points to a verified release artifact (e.g., a GitHub release tarball from the disclosed repo). If you want, I can check PyPI/GitHub for 'peerberry-sdk' and compare the package contents and maintainers to what this skill claims.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk978md14b2th84gbrt6h7qxgmx83097a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

PeerBerry SDK Skill

TL;DR Quick Start

  • Start with read-only calls first (get_profile, get_overview, get_loans).
  • Use Decimal for money and rates, never float.
  • Treat purchase_loan as real-money action and gate it with DRY_RUN and MAX_ORDERS.
  • Use SDK filter arguments before local filtering (min_interest_rate, countries, loan_types).
  • Catch specific auth/funds errors, then fall back to PeerberryException.

Read-only starter:

from peerberry_sdk import PeerberryClient

with PeerberryClient(email="YOUR_EMAIL", password="YOUR_PASSWORD") as api:
    profile = api.get_profile()
    overview = api.get_overview()
    loans = api.get_loans(quantity=5)

    print(profile.public_id)
    print(overview.data.get("availableMoney", overview.data.get("items", {}).get("availableMoney")))
    print([loan.loan_id for loan in loans])

Safe invest starter:

from decimal import Decimal
from peerberry_sdk import PeerberryClient

DRY_RUN = True
MAX_ORDERS = 10
TICKET_SIZE = Decimal("10.00")

with PeerberryClient(email="YOUR_EMAIL", password="YOUR_PASSWORD") as api:
    loans = api.get_loans(quantity=50, min_interest_rate=Decimal("9.5"), exclude_invested_loans=True)

    for idx, loan in enumerate(loans):
        if idx >= MAX_ORDERS or loan.loan_id is None:
            break

        if DRY_RUN:
            print(f"[DRY_RUN] would invest {TICKET_SIZE} in loan {loan.loan_id}")
            continue

        api.purchase_loan(loan_id=loan.loan_id, amount=TICKET_SIZE)

Core Purpose

peerberry-sdk is a Python wrapper around the PeerBerry investor API. In P2P lending, investors allocate capital across many loans (or loan fractions), receive principal and interest repayments over time, and manage risk through diversification and monitoring. PeerBerry provides marketplace access to these investor workflows, and this SDK converts them into programmable Python actions for analysis, automation, and operational control.

Scope / Non-goals

In scope:

  • Explain PeerBerry and P2P lending concepts in plain language.
  • Generate and debug Python code using the real SDK method surface.
  • Build read-only monitoring scripts and guarded investment automation.
  • Help with filtering, paging, exports, and auth/token lifecycle patterns.

Out of scope:

  • Provide financial advice, suitability advice, or guaranteed-return claims.
  • Promise profitability, safety, or future performance.
  • Invent SDK methods that do not exist.

Request Classifier

Classify incoming requests and respond with the matching style:

  1. educational: user is new to P2P/PeerBerry.
    • Explain concepts first, then provide read-only demo code.
    • Load: references/p2p-primer.md.
  2. read_only_coding: user wants portfolio/loan analytics.
    • Provide runnable snippets with typed model handling.
    • Load: references/api-quickref.md.
  3. real_money_automation: user wants buy/invest flows.
    • Add DRY_RUN, MAX_ORDERS, funds checks, and explicit risk labels.
    • Load: references/api-quickref.md and references/task-recipes.md.
  4. debugging: user has errors/exceptions.
    • Triage auth, enum inputs, filter metadata, then payload shape.
    • Load: references/api-quickref.md.

Prerequisites

  • Create and verify an investor account on the official PeerBerry website: https://peerberry.com/.
  • Use valid PeerBerry credentials (email, password).
  • If account uses TOTP 2FA, provide tfa_secret and install the otp extra.
  • Treat purchase actions as real-money operations.

Key Concepts & Objects

Primary entry point:

  • PeerberryClient: high-level client for authentication, retrieval, and purchase actions.

Core model objects:

  • Profile, Overview, Loan, LoanPage, InvestmentPage, Transaction, AccountSummary, PurchaseOrder.

Domain semantics:

  • loan: marketplace listing that can be invested into.
  • investment: already-owned position in a loan.
  • purchase order: accepted order result with order_id (not settlement confirmation).

Installation & Authentication

Install:

pip install peerberry-sdk

Install with 2FA support:

pip install "peerberry-sdk[otp]"

Authenticate:

from peerberry_sdk import PeerberryClient

with PeerberryClient(email="YOUR_EMAIL", password="YOUR_PASSWORD") as api:
    print(api.get_profile().public_id)

Core Functions & Common Workflows

Use this method map:

  • Profile and portfolio: get_profile, get_overview, get_loyalty_tier
  • Loan discovery: get_loans, get_loans_page, get_loan_details
  • Purchase action: purchase_loan
  • Portfolio positions: get_investments
  • Cash flow and reporting: get_transactions, get_account_summary
  • Exports: get_mass_investments, get_mass_transactions
  • Metadata helpers: get_countries, get_originators

For signatures, enums, and exception patterns, load references/api-quickref.md. For copy-paste user prompts and intent routing, load references/task-recipes.md.

Safety Defaults (Real-Money Flows)

Always apply unless the user explicitly overrides:

  • Default to read-only path first.
  • Add DRY_RUN = True for first run.
  • Set a hard cap with MAX_ORDERS.
  • Skip records missing loan_id.
  • Validate available_to_invest >= ticket_size when field is present.
  • Stop on InsufficientFunds.
  • Log each resulting order_id.

Known SDK Quirks

  • get_overview payload can be flat or nested under items.
  • get_loans internally paginates with max page size 40.
  • get_loans defaults group_guarantee=True.
  • Country/originator filters require display names from metadata helpers.
  • Export methods return raw bytes, not typed rows.

Reference Files (Progressive Loading)

Load only what is needed:

  • references/p2p-primer.md
    • Use for beginner education, plain-language explanations, and trust-first communication rules.
  • references/api-quickref.md
    • Use for method signatures, accepted values, parameter semantics, exceptions, and debugging.
  • references/task-recipes.md
    • Use for copy-paste prompts mapped to common investor intents.

Maintenance Contract

When SDK changes, update this skill in this order:

  1. Verify method signatures and accepted values against:
    • src/peerberry_sdk/client.py
    • docs/api/client.md
  2. Update references/api-quickref.md first.
  3. Update affected recipes in references/task-recipes.md.
  4. Keep this root SKILL.md concise and routing-focused.
  5. Re-check safety defaults for any new write action methods.

Project Resources

Skill Authoring References (March 2026)

Files

19 total
Select a file
Select a file to preview.

Comments

Loading comments…