← Back to Skills Marketplace
Stock Analysis 6
by
sunerw-dev
· GitHub ↗
· v1.0.0
1121
Downloads
0
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install stock-analysis-6
Description
Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock scoring, viral trend detection (Hot Scanner), and rumor/early signal detection. Use for stock analysis, portfolio tracking, earnings reactions, crypto monitoring, trending stocks, or finding rumors before they hit mainstream.
Usage Guidance
Proceed cautiously. Specific things to consider before installing or running:
- Source trust: the skill's source is unknown. Only install if you trust the author.
- Incomplete metadata: the manifest only declares 'uv', but docs instruct use of python3, bird (Twitter CLI via npm or brew), and browser cookie extraction — expect to manually install Python packages and CLIs.
- Do NOT follow the advice to grant Terminal 'Full Disk Access' or copy browser cookie tokens (AUTH_TOKEN / CT0) into a .env unless you fully understand the risks. Extracting cookies and storing them in plaintext is a privacy/security hazard and can expose your account.
- Prefer official APIs and scoped API keys. If you want Twitter/X integration, use OAuth tokens or an official API key with least privilege rather than copying browser cookies.
- Run first in an isolated environment (VM/container) and inspect the Python scripts (they are included) to see which endpoints they call and whether they log or transmit sensitive data. Look for outgoing network calls and where results are posted or stored.
- If you will run the hot_scanner/rumor_scanner on a schedule, restrict network access or run with a dedicated low-privilege account; consider rate limits (SEC EDGAR) and third-party terms of service.
- If you need only basic stock analysis, avoid enabling optional social/Twitter features and run with --no-social or --no-insider flags to reduce external requests.
What would change this assessment: if the publisher provided an authoritative source URL, a full install script that safely installs Python deps and documents required credentials, and removed instructions that recommend extracting browser cookies, confidence could shift toward 'benign'.
Capability Analysis
Type: OpenClaw Skill
Name: stock-analysis-6
Version: 1.0.0
The skill is classified as suspicious due to critical vulnerabilities. The `scripts/watchlist.py` file contains a shell injection vulnerability where user-controlled `ticker` input from the watchlist is passed unsanitized to `subprocess.run` when checking alerts, allowing arbitrary command execution. Additionally, `scripts/hot_scanner.py` and `scripts/rumor_scanner.py` execute an external `bird` CLI via `subprocess.run` and pass sensitive Twitter authentication tokens (`AUTH_TOKEN`, `CT0`) as environment variables, posing supply chain and data exfiltration risks if the `bird` binary is compromised.
Capability Assessment
Purpose & Capability
Name/description align with included Python scripts (analysis, hot scanner, rumor scanner, portfolio, watchlist, dividends). However, the manifest only declares one required binary (uv) while the SKILL.md/docs also call out python3, npm/bird (Twitter CLI), and browser access; these additional tools are needed for full functionality but are not declared in requires. That mismatch suggests incomplete metadata or sloppy packaging, not necessarily malicious, but it increases operational friction and risk.
Instruction Scope
SKILL.md/docs instruct the user to extract Twitter/X auth tokens from browser cookies (AUTH_TOKEN, CT0), to grant Terminal 'Full Disk Access' (macOS) for using browser cookies, and to run cron jobs that fetch external data. Those instructions request sensitive local data and privileged actions unrelated to core analysis logic (you can run a hot scan without browser cookies). The rumor scanner also collects and aggregates data from many external endpoints. The instructions therefore go beyond simple analysis and include steps that could expose sensitive tokens if followed.
Install Mechanism
Install spec only installs 'uv' via brew. The package is otherwise a Python project with many scripts and implicit Python dependencies; SKILL.md also recommends installing the 'bird' CLI via npm or brew for Twitter integration. There are no pip/npm install steps or requirements.txt enforced by the install spec, so running the skill as-is may fail or require ad-hoc installs. The brew install for a single binary is low-risk, but the packaging is incomplete.
Credentials
Declared required env vars: none. But docs reference AUTH_TOKEN and CT0 for Twitter (sensitive cookies) and suggest creating a .env with those values. TODO/docs also mention an SEC identity ([email protected]). Asking users to copy browser cookie tokens into .env and granting Terminal Full Disk Access is disproportionate compared to the stated purpose and increases risk of credential leakage. The skill does network calls to many external services (Yahoo, CoinGecko, Google News, SEC EDGAR, Twitter) but does not declare any required credentials or how credentials are protected.
Persistence & Privilege
The skill does write local state (portfolios/watchlist stored under ~/.clawdbot/skills/stock-analysis/*.json) and suggests cron automation; these are expected for a watchlist/alerting tool. always:false and no modifications of other skills or global configs were requested. Autonomous invocation is allowed by default (normal) and not combined with 'always:true' or broad undeclared credential access in the manifest, so persistence/privilege level is within typical expectations.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stock-analysis-6 - After installation, invoke the skill by name or use
/stock-analysis-6 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Stock Analysis v6.2 introduces rumor detection and impact scoring:
- Added Rumor Scanner for early detection of M&A rumors, insider activity, analyst actions, and Twitter/X whispers
- Introduced Impact Scoring system to rank rumors by potential market impact
- Expanded Hot Scanner to find trending stocks and crypto from multiple sources
- Improved stock and crypto analysis with updated portfolio, watchlist, alerts, and dividend feature set
- Enhanced daily workflow with cron support for trend and rumor reports
Metadata
Frequently Asked Questions
What is Stock Analysis 6?
Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock scoring, viral trend detection (Hot Scanner), and rumor/early signal detection. Use for stock analysis, portfolio tracking, earnings reactions, crypto monitoring, trending stocks, or finding rumors before they hit mainstream. It is an AI Agent Skill for Claude Code / OpenClaw, with 1121 downloads so far.
How do I install Stock Analysis 6?
Run "/install stock-analysis-6" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Stock Analysis 6 free?
Yes, Stock Analysis 6 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Stock Analysis 6 support?
Stock Analysis 6 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Stock Analysis 6?
It is built and maintained by sunerw-dev (@sunerw-dev); the current version is v1.0.0.
More Skills