Stock Alert Workflow

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent stock and crypto analysis skill, with expected local portfolio storage and third-party finance data use that users should notice.

This skill looks reasonable for stock and crypto analysis, but remember that it stores portfolio holdings locally and contacts external finance/news providers for ticker data. It appears to track portfolios rather than place trades; do not provide brokerage credentials or rely on it as financial advice.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The skill depends on external packages, so package provenance and future package updates matter.

Why it was flagged

Running the skill can resolve and execute third-party Python packages with lower-bound versions rather than pinned versions.

Skill content

dependencies = [
#     "yfinance>=0.2.40",
#     "pandas>=2.0.0",
#     "fear-and-greed>=0.4",
#     "edgartools>=2.0.0",
#     "feedparser>=6.0.0",
# ]

Recommendation

Install only from a trusted registry/source and consider pinning or reviewing dependencies if using it in a sensitive environment.

#ASI02: Tool Misuse and Exploitation

Low

What this means

A mistaken command could change or remove the user's locally tracked holdings and cost-basis records.

Why it was flagged

The documented portfolio commands can intentionally mutate or delete local portfolio records.

Skill content

uv run {baseDir}/scripts/portfolio.py update AAPL --quantity 150
uv run {baseDir}/scripts/portfolio.py remove BTC-USD
...
uv run {baseDir}/scripts/portfolio.py delete "My Portfolio"

Recommendation

Use portfolio mutation/delete commands only when explicitly requested, and keep a backup of important portfolio data.

#ASI06: Memory and Context Poisoning

Low

What this means

The stored file may reveal financial interests, quantities, and cost basis, and corrupted data could affect future portfolio reports.

Why it was flagged

The skill persists portfolio data locally across sessions for later analysis.

Skill content

Portfolio Storage: `~/.clawdbot/skills/stock-analysis/portfolios.json`

Recommendation

Treat the portfolio file as sensitive local data and verify it before relying on portfolio-level analysis.

#ASI07: Insecure Inter-Agent Communication

Info

What this means

Requested tickers or portfolio tickers may be sent to third-party data services during analysis.

Why it was flagged

The skill discloses external providers used for market and news data.

Skill content

Data Sources

- [Yahoo Finance](https://finance.yahoo.com) - Price, fundamentals, earnings
- [CNN Fear & Greed](https://money.cnn.com/data/fear-and-greed/) - Market sentiment
- [SEC EDGAR](https://www.sec.gov/edgar) - Insider trading (Form 4)
- [Google News RSS](https://news.google.com) - Breaking news

Recommendation

Avoid analyzing sensitive watchlists or portfolios if you do not want those ticker lookups sent to the listed data providers.