Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Analysis 6.2.0
v1.0.0Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock scoring, viral trend detection (Hot Scanner), and rumor/early signal detection. Use for stock analysis, portfolio tracking, earnings reactions, crypto monitoring, trending stocks, or finding rumors before they hit mainstream.
⭐ 0· 1k·22 current·28 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and code (Python scripts for analysis, hot/rumor scanners, portfolios, watchlists) align with the stated purpose. However, the SKILL metadata only declares a dependency on the 'uv' binary while the documentation/runtime instructions expect additional tooling (bird CLI / npm or brew-installed) and Twitter auth tokens. Those extra requirements are not declared in the manifest, creating a mismatch between claimed requirements and actual operational needs.
Instruction Scope
SKILL.md and the docs instruct the operator to extract Twitter/X authentication cookies (auth_token and ct0) from the browser and to 'Grant Terminal Full Disk Access' to read them, and to put them into a .env or environment variables. This directs users to access and move sensitive browser credentials and to elevate system permissions — actions outside the reasonable scope of a stock-analysis tool. The docs also instruct installing the bird CLI (npm/brew) but that's not declared in the install metadata. The instructions also include cron automation and local storage paths (e.g., ~/.clawdbot/skills/stock-analysis/) which are expected but should be made explicit and permissioned carefully.
Install Mechanism
The declared install spec is a single brew formula (uv), which is low-risk. The repository includes local Python scripts (no remote downloads in install spec). However, the docs recommend installing an additional third-party CLI (bird) via npm/brew but that is not part of the install spec. There are no downloads from unknown personal servers in the install metadata, which is good, but the inconsistency (missing tooling in install metadata) is noteworthy.
Credentials
The registry metadata declares no required env vars, but the runtime docs explicitly instruct creating a .env or exporting AUTH_TOKEN and CT0 (Twitter cookies) and potentially other tokens for Telegram/notifications. Asking users to export browser cookie tokens (and to grant Full Disk Access to retrieve them) is disproportionate for a third-party skill and increases risk of credential theft or accidental exfiltration. Other storage locations (portfolios/watchlist under ~/.clawdbot/skills/stock-analysis/) are reasonable, but sensitive tokens stored in plaintext .env files should be flagged.
Persistence & Privilege
The skill does not request always:true and behaves like a normal, user-invocable skill. However, the documentation's recommendation to grant Terminal 'Full Disk Access' to extract browser cookies elevates system privilege requirements outside the skill's domain. Combined with instructions to store auth tokens locally and to run cron jobs, this creates a higher persistence/privilege risk than the manifest indicates.
What to consider before installing
This skill appears to be a legitimate stock/crypto analysis tool, but there are concerning mismatches between what the manifest declares and what the runtime docs instruct:
- The SKILL metadata only lists 'uv' as a binary, yet the Hot Scanner/Twitter integration requires the third-party bird CLI (npm/brew) and manual extraction of Twitter cookie tokens (AUTH_TOKEN and CT0). The manifest should declare those dependencies and any required env vars.
- The docs explicitly instruct users to extract browser cookies and to 'Grant Terminal Full Disk Access' so cookies can be read. Do NOT grant Full Disk Access or broadly elevate privileges just to make a skill work. That practice exposes all browser data and is high-risk.
- Storing auth tokens in plaintext .env files is fragile. If you want Twitter/X data, prefer using official API keys (from a developer app) with limited scopes, not browser cookie harvesting.
Before installing or using this skill consider these steps:
1. Inspect the Python scripts (they are included) for any network calls to unexpected domains or hard-coded endpoints. Verify all outgoing endpoints are legitimate (Yahoo, CoinGecko, Google News, SEC, etc.).
2. If you need Twitter/X data, create a controlled API credential (developer app) and provide only those keys; avoid using browser cookies. Ask the maintainer to support official API keys and to document required env vars in the manifest.
3. Do not grant Terminal Full Disk Access. If the bird CLI truly requires browser cookies, reject that approach or run the scanner in a tightly controlled sandbox/VM isolated from personal data.
4. Keep .env files and any saved tokens in a secure location with limited file permissions; consider using platform secure storage instead of plaintext files.
5. Because the skill's manifest omits required tooling and env vars, prefer running it in an isolated environment (container or VM) and review the code's network behavior while executing (or run tests) before granting any elevated host permissions.
Given the privileged instructions around cookie extraction and undeclared dependencies, treat this skill as suspicious until those inconsistencies are reconciled by the author (declare bird and required env vars in metadata, remove cookie-harvesting instructions, or switch to official API keys).Like a lobster shell, security has layers — review code before you run it.
latestvk976sabjw2vvf1nw7dcg130089813gg8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binsuv
Install
Install uv (brew)
Bins: uv
brew install uv