Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
research analyst
v1.0.54Minimal local stock/crypto analysis (5 core scripts bundled). Public APIs only, zero credentials, no subprocess, ClawHub reviewed.
⭐ 0· 430·1 current·1 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (research analyst) align with included Python scripts and declared dependencies (yfinance, requests, pandas, etc.). Required binaries (python3, pip) and optional CLAWDBOT_STATE_DIR for local storage are appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs running bundled Python scripts and installing pinned PyPI deps. The runtime instructions and scripts operate on public GET APIs, perform local analysis, and store portfolio data under the stated ~/.clawdbot path. The skill does not request unrelated files, credentials, or network uploads in the provided code/instructions.
Install Mechanism
No installation spec is provided (user installs requirements with pip). That matches SKILL.md which says dependencies are installed from PyPI. The dependency list is mainstream and pinned; install requires user action (pip install -r requirements.txt) which is normal. There are no remote archive downloads or opaque install URLs in the skill package.
Credentials
Only optional environment variable is CLAWDBOT_STATE_DIR for customizing local storage; no credentials or unrelated secrets are requested. The skill's use of network (Yahoo/Coingecko/Sina/EastMoney/Google News) is coherent with its stated data sources.
Persistence & Privilege
The skill stores portfolio JSON under the user's CLAWDBOT_STATE_DIR (~/.clawdbot by default) and uses an internal lock file; this is expected for a portfolio manager. always:false and normal invocation settings are used. The skill does not attempt to modify other skills or system-wide settings.
Assessment
This skill appears internally consistent with its description, but review and basic precautions are recommended before use: 1) Inspect the bundled Python scripts (they are included) if you want assurance; the package claims no eval/exec/subprocess usage and the code snippets provided match that. 2) Install dependencies in an isolated virtual environment or container (python -m venv / docker) to limit supply-chain risk from PyPI. 3) Run the provided verify_install.sh to confirm the expected files and simple pattern checks. 4) Be aware portfolio data is stored locally (~/.clawdbot/skills/research-analyst/portfolios.json) — if that contains sensitive financial data, restrict file permissions or set CLAWDBOT_STATE_DIR to a secure location. 5) If you require stronger assurance, manually verify the dependency hashes on PyPI and review full script contents (especially network endpoints) before running.verify_install.sh:66
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973rxvpm322cywegb8tb3n9qh83t70d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binspython3, pip
EnvCLAWDBOT_STATE_DIR?