ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trading Assistant Final

v3.1.0

Trading analysis system with technical indicators, signals, and position management. Read-only market data, no trade execution.

0· 33·0 current·0 all-time
by@xuxuclassmate·duplicate of @xuxuclassmate/trading-assistant-minimal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description request Two data-provider API keys (Twelve Data, Alpha Vantage) and Python/pip are proportionate to a market-data/analysis tool. The code implements indicators, signal generation, reports and uses those APIs — this is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs only reading environment API keys and running local Python modules; most files follow that model (HTTP calls to data providers, local data/log writes). However the repository contains a file named live_trading_interface.py (and other runtime/monitoring modules) that could implement execution or require broker credentials — SKILL.md claims 'no trade execution', so you should inspect live_trading_interface.py and any 'live' modules to confirm they are inert or optional. README/Docker instructions also show mounting a .env into the container (user-supplied) which is inconsistent with the SKILL.md emphasis on not loading .env automatically.
Install Mechanism
Registry shows no install spec (instruction-only) but a requirements.txt and many Python modules exist. That is low risk from install perspective (no remote binary fetch specified), but the mismatch means the agent or user must run pip install -r requirements.txt or use Docker; verify which install/run path you will use and inspect the Docker image source if you plan to run the published container.
Credentials
The only required environment variables declared are TWELVE_DATA_API_KEY and ALPHA_VANTAGE_API_KEY (primary: Twelve Data) — these are appropriate for the stated read-only market-data use. Some optional features (notifications) may use local config files, but no unrelated secrets or broad credentials are requested in metadata. Note: some code reads environment variables beyond those two (e.g., language choice examples) — harmless but verify no hidden env access in omitted files.
Persistence & Privilege
Skill is not always:true and does not request elevated/system-wide privileges. It persists data to project-local directories (data/, logs/, reports/, accuracy logs) which is expected. Autonomous invocation is allowed by default (platform normal); combine this with network access if you plan to enable autonomous agent behavior.
What to consider before installing
This package appears to be a legitimate trading-analysis toolkit, but review a few things before using it with real API keys: 1) Open and inspect live_trading_interface.py and any 'live' or 'interface' modules to confirm they do not execute trades or require broker credentials (the SKILL.md claims read-only). 2) Check for any unexpected network calls or endpoints beyond Twelve Data and Alpha Vantage (search for requests.post, sockets, URLs in the code). 3) The repo contains many files and will persist logs and reports in the project folder — run it in an isolated directory or container if you want to avoid local persistence. 4) The SKILL.md emphasizes not auto-loading .env files, but README/Docker examples show mounting a .env; avoid storing sensitive keys in publicly readable files and prefer ephemeral environment variables or secrets management. 5) If you plan to allow autonomous agent invocation, consider the blast radius: an autonomous skill that can read environment variables and make HTTP requests could exfiltrate keys if modified — only enable autonomous use if you trust the code. If you want, I can scan the omitted files for specific patterns (subprocess.exec, external POST endpoints, broker SDKs) or show the contents of live_trading_interface.py for a targeted review.

Like a lobster shell, security has layers — review code before you run it.

latestvk970tzsgb29bmbtaezd6b4w6y18424an

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3, pip
EnvTWELVE_DATA_API_KEY, ALPHA_VANTAGE_API_KEY
Primary envTWELVE_DATA_API_KEY

Comments