Fin Intel Hub
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its financial-data purpose, but it needs review because optional API keys may be exposed in raw error output despite documentation claiming redaction.
Review before installing if you plan to provide API keys. The skill appears intended for public financial data lookups and does not show trading or account access, but you should avoid sharing logs/transcripts from failed API calls until error redaction is fixed, and confirm the requests dependency/source before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Market research inputs may be shared with external data providers as part of normal operation.
The skill is intended to make network calls to multiple financial data providers. This is expected for the stated purpose, but users should understand that their requested tickers, symbols, protocols, or queries may be sent to third-party APIs.
Access global financial data including SEC filings, Asian and US stock markets, crypto on-chain metrics, financial news sentiment, and macroeconomic indicators.
Use it for public financial research and avoid entering private portfolio details unless you are comfortable with those provider requests.
If an API call fails, your financial-data API key could be accidentally disclosed in local logs or the agent conversation.
The code places an API key in request parameters and then prints/returns raw exception strings. HTTP errors can include the request URL and query string, so provider keys may appear in logs, transcripts, or user-visible output.
params = {"series_id": series_id, "api_key": self.api_key, "file_type": "json"} ... except Exception as e: print(f"FRED API error: {e}") ... return {"series_id": series_id, "error": str(e)}Redact api_key/apikey values before logging or returning errors, and avoid returning raw exception strings from API calls.
The skill may fail or rely on whatever requests version is already present in the environment.
The documentation treats requests as if no package installation is needed, but requests is not part of the Python standard library. With no install spec, runtime dependency handling is under-declared.
requirements: | No pip packages required. Uses only Python standard library + requests.
Declare the requests dependency explicitly, ideally with a pinned or bounded version, or document that OpenClaw provides it.
Users may set API keys believing all errors are safely redacted when some failure paths may still expose sensitive values.
This strong safety claim is not fully supported by the supplied code, which includes raw exception printing/returning around API requests. The mismatch can cause users to over-trust credential handling.
Secure Logging ... No raw exceptions logged (prevents info leakage)
Either update the documentation to accurately describe limitations or apply the secure logger and redaction consistently across all modules.