Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
super-stock-analysis
v1.0.0Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock sco...
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (market analysis, portfolio, alerts, trend scanning) align with the included Python scripts and documented commands. The declared runtime binary 'uv' is consistent with the provided 'uv run ...' examples. Minor inconsistencies: some examples call 'python3' directly while others use 'uv', and README/storage paths differ (README: ~/.marketpulse vs code default: ~/.clawdbot), which is sloppy but explainable.
Instruction Scope
SKILL.md and README instruct running local scripts that fetch data from Yahoo Finance, CoinGecko, SEC, Google News, and social media—expected for this product. However README includes step-by-step guidance to extract Twitter/X cookies from browser DevTools and store AUTH_TOKEN/CT0 in a .env file, which is a sensitive, manual cookie-extraction flow that encourages copying session cookies (high-risk). The README also tells users to install an npm bird CLI and to run cron jobs; those dependencies and credentials are not declared in the skill metadata. The presence of scripts that perform filesystem writes (portfolio/watchlist storage) and a batch_refactor script that auto-modifies repository files increases risk if users or agents run them unvetted.
Install Mechanism
The only install step is a Homebrew formula 'uv' which matches the runtime commands. Brew installs are lower risk than arbitrary downloads, but 'uv' as a formula is uncommon—verify the formula identity/source before installing. No remote archive downloads or extract operations are present in the manifest.
Credentials
Metadata declares no required env vars, yet README and some features require optional credentials (Twitter/X cookies: AUTH_TOKEN, CT0) and suggest installing bird CLI. These sensitive cookie values are not declared in requires.env or primaryEnv. The code uses an env var MARKETPULSE_DATA_DIR to change storage location (defaults to ~/.clawdbot), while README documents ~/.marketpulse/data — inconsistent. Asking users to paste browser cookies into .env is disproportionate to the stated purpose and raises credential-exfiltration risk if followed without caution.
Persistence & Privilege
The skill does not request always:true and does not require system-wide configuration modifications in the manifest. It stores user data locally (portfolios/watchlist) under a user home path and includes an auto-refactor script that would modify files if run; that script modifies repository files but is not automatically invoked by the skill metadata. No evidence the skill modifies other skills or system-wide agent settings.
What to consider before installing
This skill appears to implement the features it promises, but proceed cautiously. Specific things to consider before installing or running:
- Do not follow the README instruction to copy browser cookies (AUTH_TOKEN/CT0) into a .env file unless you fully trust the source—copying session cookies is sensitive and can expose your account. Prefer official OAuth or API keys from the platform.
- Verify the Homebrew 'uv' formula origin before installing. If possible, run the Python scripts with a controlled Python environment (venv) instead of installing unknown system packages.
- The README and code disagree on storage locations (~/.marketpulse vs ~/.clawdbot); review and set a safe storage path and back up existing files before running scripts that persist local data.
- The repository includes a batch_refactor.py that will modify Python files when executed; do not run it unless you audit and trust the modifications. Treat it as a code-changing tool rather than a benign helper.
- Additional runtime dependencies (node bird CLI, Twitter auth, third-party Python libraries) are referenced in docs but not declared in metadata—inspect and install dependencies in a sandbox first (or run in an isolated VM/container).
If you want to proceed, run the code in an isolated environment, review the scripts you plan to use (especially trend_scanner/signal_scanner/watchlist_manager), and avoid pasting any secrets or copying session cookies into files. If you can provide the brew formula URL for 'uv' and clarify whether any agent will be allowed to execute these scripts autonomously, I can update the assessment and raise/clear specific concerns.Like a lobster shell, security has layers — review code before you run it.
latestvk97478bhrq67tnv3bhkdmh5efx8438yg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsuv
Install
Install uv (brew)
Bins: uv
brew install uv