research analyst
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate local market-analysis skill; the main things to notice are PyPI dependency installation, public API ticker queries, and local portfolio storage.
Use a virtual environment or container for installation, avoid running pip with elevated privileges, be aware that ticker queries go to external finance APIs, and protect the local portfolios.json file if you use portfolio tracking.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unexpected dependency could affect the Python environment where the skill is installed.
The skill depends on third-party Python packages installed from PyPI. This is expected for a Python finance-analysis tool, but dependency trust remains part of the install decision.
pip install -r requirements.txt
Install in a virtual environment or container, avoid sudo, and review requirements.txt before installing.
The finance data providers can see the ticker symbols and query timing for analyses you run.
The skill sends ticker-symbol queries to external finance/news providers. This is disclosed and purpose-aligned, with no credentials or POST uploads shown.
All public APIs, read-only GET requests: Yahoo Finance, CoinGecko, Google News, Sina Finance, East Money
Only query tickers you are comfortable sending to the listed public data providers.
Local portfolio records may reveal sensitive personal financial information to anyone with access to that file or backups.
The portfolio manager stores holdings, quantities, and cost basis in a persistent local JSON file under the skill state directory.
return portfolio_dir / "portfolios.json" ... quantity: float ... cost_basis: float
Protect the Claw/OpenClaw state directory, use CLAWDBOT_STATE_DIR if you want a specific secure location, and delete the portfolio file when no longer needed.