ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Analysis 6

v1.0.0

Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock scoring, viral trend detection (Hot Scanner), and rumor/early signal detection. Use for stock analysis, portfolio tracking, earnings reactions, crypto monitoring, trending stocks, or finding rumors before they hit mainstream.

0· 1k·3 current·3 all-time
by@sunerw-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description align with included Python scripts (analysis, hot scanner, rumor scanner, portfolio, watchlist, dividends). However, the manifest only declares one required binary (uv) while the SKILL.md/docs also call out python3, npm/bird (Twitter CLI), and browser access; these additional tools are needed for full functionality but are not declared in requires. That mismatch suggests incomplete metadata or sloppy packaging, not necessarily malicious, but it increases operational friction and risk.
!
Instruction Scope
SKILL.md/docs instruct the user to extract Twitter/X auth tokens from browser cookies (AUTH_TOKEN, CT0), to grant Terminal 'Full Disk Access' (macOS) for using browser cookies, and to run cron jobs that fetch external data. Those instructions request sensitive local data and privileged actions unrelated to core analysis logic (you can run a hot scan without browser cookies). The rumor scanner also collects and aggregates data from many external endpoints. The instructions therefore go beyond simple analysis and include steps that could expose sensitive tokens if followed.
Install Mechanism
Install spec only installs 'uv' via brew. The package is otherwise a Python project with many scripts and implicit Python dependencies; SKILL.md also recommends installing the 'bird' CLI via npm or brew for Twitter integration. There are no pip/npm install steps or requirements.txt enforced by the install spec, so running the skill as-is may fail or require ad-hoc installs. The brew install for a single binary is low-risk, but the packaging is incomplete.
!
Credentials
Declared required env vars: none. But docs reference AUTH_TOKEN and CT0 for Twitter (sensitive cookies) and suggest creating a .env with those values. TODO/docs also mention an SEC identity (stock-analysis@clawd.bot). Asking users to copy browser cookie tokens into .env and granting Terminal Full Disk Access is disproportionate compared to the stated purpose and increases risk of credential leakage. The skill does network calls to many external services (Yahoo, CoinGecko, Google News, SEC EDGAR, Twitter) but does not declare any required credentials or how credentials are protected.
Persistence & Privilege
The skill does write local state (portfolios/watchlist stored under ~/.clawdbot/skills/stock-analysis/*.json) and suggests cron automation; these are expected for a watchlist/alerting tool. always:false and no modifications of other skills or global configs were requested. Autonomous invocation is allowed by default (normal) and not combined with 'always:true' or broad undeclared credential access in the manifest, so persistence/privilege level is within typical expectations.
What to consider before installing
Proceed cautiously. Specific things to consider before installing or running: - Source trust: the skill's source is unknown. Only install if you trust the author. - Incomplete metadata: the manifest only declares 'uv', but docs instruct use of python3, bird (Twitter CLI via npm or brew), and browser cookie extraction — expect to manually install Python packages and CLIs. - Do NOT follow the advice to grant Terminal 'Full Disk Access' or copy browser cookie tokens (AUTH_TOKEN / CT0) into a .env unless you fully understand the risks. Extracting cookies and storing them in plaintext is a privacy/security hazard and can expose your account. - Prefer official APIs and scoped API keys. If you want Twitter/X integration, use OAuth tokens or an official API key with least privilege rather than copying browser cookies. - Run first in an isolated environment (VM/container) and inspect the Python scripts (they are included) to see which endpoints they call and whether they log or transmit sensitive data. Look for outgoing network calls and where results are posted or stored. - If you will run the hot_scanner/rumor_scanner on a schedule, restrict network access or run with a dedicated low-privilege account; consider rate limits (SEC EDGAR) and third-party terms of service. - If you need only basic stock analysis, avoid enabling optional social/Twitter features and run with --no-social or --no-insider flags to reduce external requests. What would change this assessment: if the publisher provided an authoritative source URL, a full install script that safely installs Python deps and documents required credentials, and removed instructions that recommend extracting browser cookies, confidence could shift toward 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wa7f2wx818anab9d83mqrd811n6q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsuv

Install

Install uv (brew)
Bins: uv
brew install uv

Comments