astock-research
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The stock analysis framework is mostly coherent, but its helper script contains a hard-coded QVeris API key and runs an undeclared external tool from another skill path.
Review this skill before installing. The analysis instructions themselves are ordinary stock-research guidance, but the included script should not ship with a hard-coded API key or an undeclared dependency on another local skill. Use only after the key is removed and dependencies are clearly declared.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running or inspecting the skill may use or expose this API key, and requests may be made under an account that the user does not control.
The script embeds a provider API key directly in the skill package instead of requiring a user-provided, scoped credential.
export QVERIS_API_KEY=sk-XVkZepq...
Remove the hard-coded key, declare the credential requirement, and require users to provide their own API key through a secure environment variable or platform credential mechanism.
The actual code executed depends on another local skill outside this package, so the reviewed artifacts do not fully describe what will run when the helper script is used.
The helper script runs a tool from an absolute path in another skill and relies on uv, but the metadata declares no required binaries, install spec, config paths, or dependency on that external skill.
~/.local/bin/uv run /home/ubuntu/.openclaw/workspace/skills/qveris/scripts/qveris_tool.py execute
Declare and pin external dependencies, avoid absolute machine-specific paths, and include or reference the required tool in a transparent, reviewable way.