Stock Analysis 6.2.0
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Enabling the Twitter/X feature could expose your X account session cookies or broaden Terminal's access to local browser data.
The optional Twitter/X integration asks for broad local permission and account session tokens. That access is much more sensitive than ordinary stock analysis and is not reflected in the registry credential declarations.
Grant Terminal "Full Disk Access" in System Settings ... Create `.env` file ... AUTH_TOKEN=your_auth_token_here ... CT0=your_ct0_token_here
Use the social-media feature only if you trust the bird CLI and understand the account/session risk; prefer a dedicated low-privilege account and avoid granting Full Disk Access unless necessary.
A globally installed helper that handles social-media authentication expands the trust boundary beyond the reviewed skill package.
The documentation recommends an additional globally installed third-party CLI for Twitter/X access, but the registry install spec only declares uv and does not pin or declare this dependency.
brew install steipete/tap/bird ... npm install -g @steipete/bird
Treat bird as a separate dependency to review and keep updated; the skill should declare optional dependencies and avoid requiring global unpinned installs for sensitive account access.
Your holdings, cost basis, targets, and watchlist choices may remain in local files after use.
The skill stores portfolio holdings and watchlists persistently on disk so they can be reused across runs.
Portfolios | `~/.clawdbot/skills/stock-analysis/portfolios.json` ... Watchlist | `~/.clawdbot/skills/stock-analysis/watchlist.json`
Do not enter sensitive portfolio data unless you are comfortable storing it locally; periodically review or delete these files if no longer needed.
If configured, the skill can run on a schedule and continue producing scans without a fresh manual request each time.
The documentation includes user-directed recurring execution examples for daily market scans.
Cron Job ... Daily at 8 AM ... OpenClaw Integration ... schedule: kind: cron ... message: "Run hot scanner and summarize results"
Only enable cron if you want recurring scans, and review the schedule, output destination, and whether social-media auth is enabled.