Trading Assistant Core
Security checks across malware telemetry and agentic risk
Overview
This appears to be a purpose-aligned trading analysis and portfolio-tracking skill, but users should notice that it uses market-data API keys and stores local portfolio/prediction data.
Before installing, confirm you are comfortable providing market-data API keys, storing portfolio details locally, and using any optional notification webhooks; do not provide brokerage credentials or rely on the tool as financial advice.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Twelve Data and Alpha Vantage API keys and may consume quota on those accounts.
The skill requires third-party market-data API keys; this is expected for its purpose, and the visible code reads them from environment variables rather than hardcoding or logging them.
requires:\n env:\n - TWELVE_DATA_API_KEY\n - ALPHA_VANTAGE_API_KEY
Use read-only market-data keys, avoid providing brokerage or trading credentials, and monitor API-key usage.
Your holdings, share counts, costs, notes, and portfolio values may be saved on disk.
The portfolio manager persists holdings data locally, which is purpose-aligned for portfolio tracking but can include sensitive personal financial information.
PORTFOLIO_FILE = Path(__file__).parent / "portfolio" / "holdings.json"
Only enter financial details you are comfortable storing locally, protect the directory with normal file permissions, and delete the generated portfolio files if no longer needed.
If notification webhooks are configured, trading alerts or related information may be sent to an external chat service.
The configuration can enable a Feishu notification webhook if related environment variables are present; the provided snippets do not show actual notification sending, but webhook-based integrations can move data outside the local environment.
feishu_webhook_url = (\n os.environ.get("FEISHU_WEBHOOK_URL")\n or os.environ.get("FEISHU_WEBHOOK")\n )Configure webhooks only for trusted destinations and avoid including sensitive portfolio details in notifications unless intended.
Some documented or imported features may fail or may depend on code not present in this reviewed artifact set.
The package imports a stop_loss_alerts module that is not listed in the provided file manifest, indicating a packaging or provenance inconsistency rather than clear malicious behavior.
from .stop_loss_alerts import StopLossAlert, calculate_stop_loss_levels
Install from a trusted, versioned source and verify the complete package contents before relying on alert-related features.