ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

testskill-zip1

v1.0.5

Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock sco...

0· 79·0 current·0 all-time
byyuangui@yinwuzhe·duplicate of @perfectworldltd/x-search-1-0-0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description and included Python scripts (analysis, hot scanner, watchlist, portfolio, dividends, rumor scanner) are consistent with a stock/crypto analysis tool. Requiring the 'uv' binary is coherent with many CLI examples that use 'uv run', though several commands use 'python3' directly which is inconsistent. The optional Twitter integration is relevant to 'hot scanner' and 'rumor scanner', but the metadata declares no required env vars while the docs instruct collecting Twitter auth cookies — a mismatch.
!
Instruction Scope
SKILL.md and docs instruct users to obtain Twitter/X auth by copying browser cookies (auth_token and ct0) via DevTools and to grant Terminal 'Full Disk Access' on macOS. Those steps direct collection of sensitive browser tokens and require elevated system permissions that are outside the normal scope of a data-aggregation/analysis skill. The skill also tells you to create a .env with those tokens and to store portfolio/watchlist data under a home path; the cookie-extraction instructions in particular are disproportionate.
Install Mechanism
Install spec uses a Homebrew formula 'uv' which matches the declared required binary 'uv'. Using a brew formula is a low-to-moderate risk install pattern — verify the formula source/tap and checksum before installing. There is no download-from-arbitrary-URL or extract step in the provided install spec. The presence of both 'uv run' and direct 'python3' invocation is inconsistent but not itself malicious.
!
Credentials
Declared requirements list no env vars, but documentation asks the user to place AUTH_TOKEN and CT0 in a .env (browser cookie values) for Twitter access. That creates a gap between declared and actual credential needs. Additionally, instructions to grant Terminal full-disk access to retrieve cookies are high-privilege and unnecessary if a proper API/key-based Twitter integration is used. Storing auth cookies in plaintext .env files is also risky.
!
Persistence & Privilege
The skill persists user data to ~/.clawdbot/skills/stock-analysis (portfolios.json, watchlist.json) which is reasonable for a CLI tool. However, the documentation's guidance to grant 'Full Disk Access' to the Terminal (macOS) elevates privilege beyond normal execution needs and could enable access to other apps' data (cookies). While the skill itself is not flagged as always-enabled, the combination of instructions that require elevated OS permission plus cookie extraction increases the potential blast radius.
What to consider before installing
This skill appears to be a legitimate stock/crypto analysis bundle, but exercise caution before installing or following the Twitter-related setup steps. Specific recommendations: - Do NOT follow instructions to grant Terminal 'Full Disk Access' or to copy browser cookies unless you fully trust the developer — copying browser cookies gives broad access to your logged-in accounts. Prefer creating a Twitter/X developer app and using proper API keys with minimal scopes instead of extracting cookies. - The package asks you to store AUTH_TOKEN and CT0 in a .env file; storing session cookies in plaintext is risky. If you must enable social features, use dedicated API credentials and place them in a secure secret store. - Verify the Homebrew formula 'uv' before installing (check the tap and upstream project). If unsure, run the Python scripts directly inside an isolated environment (virtualenv/container) rather than installing new system binaries. - Inspect network behavior: review the scripts for where data is POSTed or external endpoints beyond documented sources. Run the code in a sandbox or VM first and monitor outbound connections. - If you only need core analysis, skip optional social features (hot_scanner --no-social or --fast) to avoid the parts that request elevated privileges. If you want higher assurance, ask the publisher for: (1) the official brew tap/source for 'uv', (2) justification for requiring browser cookie extraction vs API tokens, and (3) a minimized set of instructions that don't request elevated OS permissions. If those answers are unsatisfactory, run the tool in an isolated VM/container and avoid supplying browser cookies.

Like a lobster shell, security has layers — review code before you run it.

latestvk979j7sgqjz60v6qvv72hr41jn84ekqa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsuv

Install

Install uv (brew)
Bins: uv
brew install uv

Comments