Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (THS automation) matches the SKILL.md and the shipped scripts. The code implements GUI automation (osascript on macOS, PowerShell SendKeys on Windows), local logging, risk calculation and plan orchestration — all reasonable for a desktop trading-automation helper. There are no unrelated environment variables, remote endpoints, or unexpected binaries required.
Instruction Scope
The runtime instructions direct the agent to call exec to run local commands (open/osascript on macOS, node + PowerShell SendKeys on Windows) and to run the included Node scripts. The skill reads local files (watchlist, plan files) and writes logs and a trade-journal under its own logs/ directory. This is within the stated purpose, but it does grant the agent the ability to execute OS-level commands and send keystrokes to other applications — a powerful capability that can have side effects if misused or if another window is focused.
Install Mechanism
No external install/downloads or archive extraction are required. This is instruction + local script files only. All code shipped in the package; nothing is pulled from remote URLs during normal operation.
Credentials
The skill does not request credentials or secret environment variables. It briefly checks for Node/PowerShell paths via environment variables (NODE_EXE, POWERSHELL_EXE) but these are optional and used only to locate local executables. No disproportionate access to unrelated services or secrets is requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes logs and a JSONL trade‑journal inside its own logs/ directory (normal for this function). Note: the platform default allows autonomous invocation; this skill can execute commands when invoked, so consider invocation policy if you do not want automated runs without explicit user approval.
Assessment
This package appears internally consistent with its purpose, but it executes local shell commands and simulates keyboard input — both are powerful and can affect other windows or trigger unintended actions. Before installing: 1) review the shipped scripts (ths-hotkeys.mjs, run-all.mjs, etc.) yourself (they are included); 2) run initially in dry-run mode (run-all supports --dryRun) or on a test/VM machine; 3) restrict agent autonomous runs or require explicit user confirmation for any command that opens the trading client or interacts with the GUI; 4) be mindful that SendKeys/osascript will act on whatever window is focused (close or lock other sensitive apps while testing); 5) ensure Node and PowerShell are from trusted installs and that you understand where logs/trade-journal files are written (logs/ in the skill folder). If you want tighter control, require the agent to only produce command text for you to run manually rather than executing commands automatically.scripts/run-all.mjs:201
Shell command execution detected (child_process).
scripts/ths-hotkeys.mjs:86
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974b9vj0h8qdm7se873qzv0hh83j2cp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
OSmacOS · Windows