ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEC Finance

v0.1.0

Fetch structured financial data and filing metadata from SEC EDGAR and SEC XBRL companyfacts for US-listed companies, especially Chinese issuers. Use when th...

0· 179·0 current·0 all-time
byLu Wang@wangwllu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise (SEC XBRL/companyfacts, CIK resolution, extracting revenue/net income/EPS) matches the included SKILL.md, reference issuer list, and the script. The code only targets SEC endpoints (data.sec.gov and www.sec.gov) and local references/issuers.json; there are no unrelated service credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md is narrowly scoped to resolving CIKs, fetching companyfacts, and returning normalized financial rows; the provided CLI examples map directly to the included Python script. One notable instruction/note in SKILL.md (and implemented in code) is a deliberate fallback to relaxed SSL handling for endpoint compatibility — this broadens network trust and can expose the agent to MITM if an attacker can intercept traffic. The script otherwise does not read unrelated files or environment variables.
Install Mechanism
There is no install spec; this is an instruction-only skill with an included Python script and a local JSON reference file. Nothing is downloaded or written at install time. Execution requires Python3 at runtime, which is expected for this skill type.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The script does not attempt to read environment secrets. Network access to SEC endpoints is necessary and proportional to the described functionality.
Persistence & Privilege
Skill is not always-on and is user-invocable; it does not request permanent presence, modify other skills, or access other skills' credentials. Autonomous invocation is allowed (platform default) and is appropriate for a data-retrieval skill.
Assessment
This skill appears coherent and implements exactly what it claims: resolving CIKs and pulling structured XBRL companyfacts from SEC endpoints. Before installing or running: (1) review or run the included script in a safe environment — it makes network requests to data.sec.gov and www.sec.gov; (2) be aware the script intentionally falls back to disabling SSL verification on failure — this can expose you to man-in-the-middle attacks if your network is compromised, so prefer running it where TLS interception is not possible or modify the code to remove the insecure fallback; (3) no secrets are requested by the skill, so there is no direct credential exposure risk from installing; (4) the issuer list is static and may be incomplete — verify CIKs when accuracy is important. If you need stronger assurance, ask the publisher for provenance (homepage/source) or run the code in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97352d6cbhb62g1qff3bd1tbh83dtbb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments