Stock Analysis
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: stock-analysis Version: 6.2.0 The skill is classified as suspicious due to its reliance on an external, user-installed `bird` CLI tool for Twitter/X integration, as detailed in `SKILL.md`, `README.md`, `scripts/hot_scanner.py`, and `scripts/rumor_scanner.py`. This external dependency introduces a supply chain risk, as the security of the skill becomes dependent on the security of the `bird` binary. Furthermore, the skill instructs users to manually extract sensitive `AUTH_TOKEN` and `CT0` session cookies from their browser and store them in a `.env` file, which are then loaded by the Python scripts and passed to the `bird` CLI. While the skill's own code does not appear to intentionally exfiltrate these credentials, this practice exposes sensitive user session tokens to an external binary, significantly increasing the attack surface and potential for unauthorized access if the `bird` CLI or the user's environment is compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local environment, helper CLI, or skill code is compromised, the user's X session tokens or broader local files could be exposed or misused.
The optional Twitter/X integration asks the user to expose browser session credentials and grant a broad OS permission to Terminal. Those tokens can represent account access, and Full Disk Access is much broader than a normal finance-data query.
Login to x.com in Safari/Chrome; Grant Terminal "Full Disk Access" ... AUTH_TOKEN=your_auth_token_here; CT0=your_ct0_token_here
Prefer running with social media disabled unless needed. If enabling Twitter/X, use the least-privileged supported auth method, avoid broad Full Disk Access where possible, protect or remove the .env file after use, and ensure the optional bird CLI is trusted.
Installing an extra global CLI can add code outside the reviewed skill package and may inherit the permissions or credentials used for Twitter/X access.
The documentation introduces an optional global third-party CLI that is not part of the declared uv-only install spec. This is purpose-aligned for Twitter/X search, but it is additional supply-chain surface.
Install bird CLI ... brew install steipete/tap/bird ... npm install -g @steipete/bird
Install optional tools only from trusted sources, review their permissions, and skip the social scanner if you do not need it.
Anyone or anything with access to those local files may learn the user's tracked holdings or investment interests.
The skill stores user portfolio and watchlist data persistently on disk. This is disclosed and purpose-aligned, but financial holdings and watchlists can be sensitive personal data.
Portfolios | ~/.clawdbot/skills/stock-analysis/portfolios.json ... Watchlist | ~/.clawdbot/skills/stock-analysis/watchlist.json
Use this feature only on trusted machines, protect the user account, and delete the stored JSON files if you no longer want the skill to retain that data.
If the user enables the cron job, the scanner will keep running on schedule, making network requests and writing cached output/logs until the schedule is removed.
The documentation provides a scheduled recurring execution example. It is user-directed and aligned with daily market reports, but it creates ongoing background activity if configured.
Set up a daily cron job ... 0 8 * * * cd /path/to/stock-analysis && python3 scripts/hot_scanner.py --json > cache/daily_scan.json
Only create the cron job intentionally, use the no-social option if credentials are not needed, and remove the schedule when daily scans are no longer desired.