ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Analysis

v6.2.0

Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock scoring, viral trend detection (Hot Scanner), and rumor/early signal detection. Use for stock analysis, portfolio tracking, earnings reactions, crypto monitoring, trending stocks, or finding rumors before they hit mainstream.

210· 44.5k·510 current·541 all-time
by@udiedrichsen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to be a Python-based stock/crypto analyzer, and most commands in SKILL.md run Python scripts (python3 scripts/*.py). Yet metadata requires a binary named 'uv' and the install spec installs a brew formula 'uv'. Requiring only 'uv' (and not declaring python3) is disproportionate and inconsistent with the provided scripts. The skill also documents optional Twitter integration that asks for browser cookie tokens — that capability (accessing browser cookies) is not reflected in requires.env or required config paths.
!
Instruction Scope
SKILL.md and docs instruct the user to extract Twitter/X tokens from browser DevTools and explicitly tell macOS users to 'Grant Terminal Full Disk Access' to allow the bird CLI to work. Asking users to extract cookies and give Terminal Full Disk Access is excessive for a typical data-aggregation skill and introduces a high-risk path for credential exposure. The docs also suggest cron jobs and store portfolio/watchlist JSON files in the user's home directory (~/.clawdbot/...), which is expected but should have been declared.
Install Mechanism
The only install mechanism is a brew formula 'uv'. Installing via brew is lower risk than downloading arbitrary archives, but 'uv' is an unexpected dependency for a Python project and the brew formula source/tap is not specified. The install creates a binary named 'uv' — verify the formula origin before installing. There is no install step for Python dependencies (requirements.txt), yet the codebase is Python-heavy.
!
Credentials
requires.env is empty in the registry metadata, but the docs repeatedly reference environment variables and a .env file (AUTH_TOKEN, CT0) for Twitter/X integration and instruct creating .env in the skill directory. Those sensitive tokens are not declared as required credentials. The skill also refers to an SEC identity in TODOs and instructs writing files under ~/.clawdbot — the set of requested/used secrets and paths is under-specified and therefore disproportionate to the declared requirements.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. It writes state to ~/.clawdbot/skills/stock-analysis (portfolios.json, watchlist.json) which is reasonable for a portfolio tool but is not declared in required config paths. The bigger persistence risk is the documentation guidance to store tokens in a local .env and to grant Terminal Full Disk Access — these increase attack surface if present on a machine.
What to consider before installing
Key things to check before installing or using this skill: - Do NOT grant Terminal/Terminal.app 'Full Disk Access' or otherwise give broad OS permissions simply to run this skill. That instruction in the docs is unnecessary for most setups and creates a large security risk. - Twitter/X integration guidance asks you to extract browser cookies (AUTH_TOKEN, CT0) and store them in a local .env. Extracting cookies and storing them as plain tokens can leak credentials; prefer creating tokens via an official API/developer app and avoid copying browser cookies. If you must use social features, create limited-scope API credentials, store them in a secure secrets manager, and avoid Full Disk Access. - The metadata requires a binary 'uv' (installed via brew) but the codebase runs many python3 scripts. Investigate the 'uv' package/formula: who maintains it, what it does, and why this project needs it. Do not run unknown brew taps or formulas without verifying origin. - Confirm python3 and any Python dependencies (requirements.txt) are installed in a contained environment (virtualenv/venv) before running scripts. Consider running the skill inside an isolated VM/container if you will test it. - Review the scripts (especially hot_scanner.py, rumor_scanner.py) for any unexpected network endpoints, hard-coded URLs, or calls that could exfiltrate data beyond the documented sources (Yahoo, Google News, CoinGecko, SEC EDGAR, Twitter). Search for code that sends data to unknown domains or uses unusual upload endpoints. - Be cautious with cron automation and the suggested Daily Hot Scanner cron job: running automated network scraping frequently can reveal credentials and amplify risk if tokens are present in environment files. - If you need the watchlist/portfolio features, examine and back up the JSON files stored under ~/.clawdbot/skills/stock-analysis and consider limiting filesystem permissions. If you want, I can: - Identify and summarize all places in the repository that read environment variables, read browser files, or make outbound network calls. - Inspect the 'uv' brew formula (if you provide its source or link) and the exact Python third-party dependencies to assess risk further.

Like a lobster shell, security has layers — review code before you run it.

latestvk974z9fcypgbaeref13qmjdpv180dg89

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsuv

Install

Install uv (brew)
Bins: uv
brew install uv

Comments