Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
alphaear-reporter
v1.0.0Plan, write, and edit professional financial reports; generate finance chart configurations. Use when condensing finance analysis into a structured output.
⭐ 0· 38·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, prompts and code are consistent with generating financial research reports and charts. The included modules implement report assembly, ISQ scoring, forecasting, news/toolkits, and DB lookup — all plausible for the stated purpose. However, the skill declares no required environment variables or binaries yet imports/uses many external toolkits (agno.tools), network fetchers (news_tools, fetch_news_content), Polymarket and stock data access, and heavy Python libraries (pandas, pydantic, loguru). The lack of declared runtime requirements (API keys, service endpoints, Python deps) is an inconsistency.
Instruction Scope
The SKILL.md and embedded prompt files instruct the agent and downstream agents to call tools such as search_ticker, get_stock_price, web_search/fetch_news_content and to persist/lookup references in a DatabaseManager. These instructions require live web access, data fetching, and DB writes/reads. The instructions also demand that agents ‘must call tools’ for every mentioned company and return full tool results — which expands runtime scope beyond simple text generation and could cause broad data access/exfiltration if tool implementations are not vetted.
Install Mechanism
There is no install specification despite a substantial codebase with non-standard Python dependencies (pandas, pydantic, loguru, agno.tools, Jina reader references, etc.). That means the package either assumes a host environment that already contains these libraries or will fail at runtime. The absence of an install step also leaves unclear how/where Python code would be executed, which versions are required, and whether any third-party binaries or native extensions are necessary.
Credentials
The skill declares no required environment variables or primary credentials, but its code references networked toolkits (news sources, Polymarket, stock data), a DatabaseManager, and potential external services (web scraping, Jina reader). These typically require API keys, service endpoints, or database configuration. The discrepancy between 'no creds required' and code that almost certainly needs external access is a red flag: the skill may either fail silently or attempt to reach out to external services whose credentials/config are unspecified.
Persistence & Privilege
always: false (normal). The skill does include DatabaseManager usage and functions that write/update DB records (enrich_news_content updates daily_news), so it will persist data locally if provided a DB. It does not request force-inclusion or system-wide config changes. Autonomous invocation is enabled by default (not flagged alone), which combined with the other concerns increases blast radius if deployed without sandboxing.
What to consider before installing
This package appears to implement a full financial reporting pipeline (prompt templates, chart configs, tool wrappers for news/stock/prediction data, DB helpers and forecasting code). That is coherent with its stated purpose — but there are several practical and security concerns you should resolve before installing or running it:
- Missing runtime spec: The skill lists no install steps or Python/package requirements but imports pandas, pydantic, agno.tools, loguru, and other non-standard modules. Ask the author for a requirements.txt or an install script and for Python version guidance.
- Undeclared external access and credentials: The code calls news/Polymarket/stock toolkits and fetches web content and updates a database. Ask which external services are contacted, whether API keys are required, and where credentials should be stored. Do not supply high-privilege credentials (AWS, GCP, database admin) unless the author justifies them.
- Review network-facing modules: Inspect scripts/utils/news_tools.py, scripts/utils/stock_tools.py, scripts/utils/search_tools.py, and scripts/utils/database_manager.py to see what endpoints are used, what data is uploaded, and how requests are authenticated. Look for any hardcoded endpoints or unexpected external domains.
- Sandbox first: Run the skill in an isolated environment (container or VM) with no access to sensitive networks/credentials. Verify behavior (which hosts are contacted, DB writes) before using it with any real data.
- Verify provenance: The skill has no homepage and an unknown source; prefer code from known maintainers. Ask the publisher for a README, license, changelog, and list of required environment variables and resources.
- If you must use it: Provide only minimal, least-privilege credentials (if any), and a dedicated local database; monitor outbound connections and logs. If unsure, have a developer or security person audit the network/data-access code before trusting it with sensitive information.scripts/utils/predictor/evaluation.py:59
Dynamic code execution detected.
scripts/utils/predictor/training.py:308
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972bqaaht98z3h75vkkksfepx84005w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.