ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trading Assistant Minimal

v3.1.0

Trading analysis system with technical indicators, signals, and position management. Read-only market data, no trade execution.

0· 32·0 current·0 all-time
by@xuxuclassmate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Declared purpose (read-only trading analysis) aligns with required pieces: python/pip and two market-data API keys (Twelve Data, Alpha Vantage). However, repository includes modules whose names imply extra capabilities (live_trading_interface.py, realtime_monitor.py, news_sentiment_monitor.py, notifications) that could go beyond strictly read-only analysis. The presence of notification defaults (Feishu chat id in DEFAULT_CONFIG) and Docker examples that mount .env files are legitimate features for a monitoring tool but expand the skill's outward-capability surface beyond pure data-read.
!
Instruction Scope
SKILL.md instructs only loading API keys from environment variables and running Python analysis scripts — that matches the manifest. The instructions explicitly say no runtime .env scanning. However documentation and README also include Docker usage that mounts .env and references notification channels; and codebase contains modules that persist data (reports, accuracy logs, portfolio files) and refer to external notification endpoints (Feishu). Without reviewing the notification and live_trading modules' implementation, it's unclear whether any data (including analysis results or watchlists) may be sent to external endpoints beyond the two market-data APIs.
Install Mechanism
No custom install script; dependencies are standard Python packages (requirements.txt, e.g., requests). No third-party downloads or archive extracts are present in the skill metadata. This is a low-risk install mechanism relative to arbitrary binaries or remote extracts.
Credentials
The required environment variables (TWELVE_DATA_API_KEY, ALPHA_VANTAGE_API_KEY) are proportional to the stated purpose. There are no unexpected required credentials. That said, the codebase contains a default Feishu chat_id and references to feishu_config.json and notification channels, yet no notification credentials are declared as required env vars — this means notification configuration may live in project files rather than environment variables, which expands where secrets/config can appear and deserves review.
Persistence & Privilege
The skill does read/write within its own project directories (data/, logs/, reports/, accuracy_log.json, portfolio/). It does not request always:true or system-wide privileges. Writing to its own storage is expected for reporting and logs; users should note these files will be created in the skill folder.
What to consider before installing
This package appears to be a coherent trading analysis toolkit that legitimately needs the two market-data API keys it requests. Before installing or running it: - Inspect live_trading_interface.py, realtime_monitor.py, and news_sentiment_monitor.py to confirm they do not accept or use broker/execution credentials and that they only call the declared market-data APIs. The module name live_trading_interface is worth special review for any trade-execution logic. - Check notification/Feishu code (feishu_config.json and any send/push functions) to see whether analysis or watchlist data will be posted to external endpoints and where notification credentials are stored. The skill includes a default Feishu chat_id in config; verify whether you need to provide tokens/URLs and whether they are stored in files or environment variables. - Prefer setting API keys as environment variables (export TWELVE_DATA_API_KEY=... ) rather than creating and mounting .env files; the documentation mixes both approaches. Mounting arbitrary .env files can accidentally expose unrelated secrets if you reuse files. - Run the tool in an isolated environment (virtualenv/venv or container) and with test API keys if possible. Avoid providing any broker or trading-execution credentials unless you have audited the code paths that would use them. If you want, I can scan the contents of specific files (live_trading_interface.py, realtime_monitor.py, news_sentiment_monitor.py, any notification helper) to give a precise assessment of outbound calls and any hidden endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk9733515c5z36wh01by3kmyqq5843abf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3, pip
EnvTWELVE_DATA_API_KEY, ALPHA_VANTAGE_API_KEY
Primary envTWELVE_DATA_API_KEY

Comments