Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Perfect Storm Options
v1.0.0Autonomous but risk-bounded options trading agent spec for the "Perfect Storm" strategy (paper trading only). Use when configuring, operating, or evaluating...
⭐ 0· 151·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and instructions consistently describe a paper-only Perfect Storm options trading agent (Alpaca paper API integration, risk_config enforcement, journaling). That purpose is plausible and the constraints (paper-only, strict risk limits) are appropriate. However, the runtime instructions reference Alpaca integration and helper scripts (scripts/alpaca.mjs) even though no code files are included and no Alpaca credentials or env vars are declared in the skill manifest — an inconsistency to resolve.
Instruction Scope
SKILL.md instructs the agent to load specific reference files (references/risk_config.yaml, references/AGENTS.md) and to run scripts/alpaca.mjs for account/ order operations. In the provided package the files exist under different names/locations (AGENTS.md and risk_config_openclaw_best_practices.yaml at root) and the scripts directory is missing. The skill also expects to detect APCA_API_BASE_URL and may act on broker/account state, but required env vars are not declared. These path/name/env mismatches mean the agent could fail or behave unexpectedly unless the runtime environment is prepared exactly as the instructions assume.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute reduces install-time risk. Nothing is downloaded or written by an installer from unknown URLs.
Credentials
The instructions require access to Alpaca API details (APCA_API_BASE_URL and presumably API credentials) and to broker/account state for safety checks, but the skill manifest lists no required environment variables or primary credential. That mismatch makes it unclear what credentials the agent expects and whether they must be paper-only. Requesting zero credentials in the manifest while instructing to read broker environment/config is disproportionate and risky unless clarified.
Persistence & Privilege
The skill is not marked always:true, has no install hooks, and does not request system-wide changes. It does require loading a risk_config file at startup, which is normal for constrained agents. No unexpected persistence or privilege elevation is apparent.
What to consider before installing
This skill appears to implement a conservative paper-trading options strategy, but there are packaging and configuration mismatches you should resolve before enabling it. Specifically: (1) the instructions expect files at references/... and a helper script scripts/alpaca.mjs, but the archive contains AGENTS.md and a differently named risk_config YAML and no scripts directory — supply or correct these paths. (2) SKILL.md checks APCA_API_BASE_URL and broker state but the manifest declares no env vars or credentials — explicitly confirm which environment variables and credentials the agent will read and ensure they are paper-only. (3) Because this skill can act autonomously, manually review any runtime helper scripts (e.g., alpaca helpers) before use and verify all broker endpoints are the Alpaca paper API. If you cannot inspect or provide the missing scripts and correct file paths, avoid running the skill in autonomous mode or granting it broker credentials until these inconsistencies are fixed.Like a lobster shell, security has layers — review code before you run it.
latestvk974j11dacwewy68tcpxtkxehd8320e3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.