Stock Analysis 6.2.0

Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock scoring, viral trend detection (Hot Scanner), and rumor/early signal detection. Use for stock analysis, portfolio tracking, earnings reactions, crypto monitoring, trending stocks, or finding rumors before they hit mainstream.

This skill appears to be a legitimate stock/crypto analysis tool, but there are concerning mismatches between what the manifest declares and what the runtime docs instruct: - The SKILL metadata only lists 'uv' as a binary, yet the Hot Scanner/Twitter integration requires the third-party bird CLI (npm/brew) and manual extraction of Twitter cookie tokens (AUTH_TOKEN and CT0). The manifest should declare those dependencies and any required env vars. - The docs explicitly instruct users to extract browser cookies and to 'Grant Terminal Full Disk Access' so cookies can be read. Do NOT grant Full Disk Access or broadly elevate privileges just to make a skill work. That practice exposes all browser data and is high-risk. - Storing auth tokens in plaintext .env files is fragile. If you want Twitter/X data, prefer using official API keys (from a developer app) with limited scopes, not browser cookie harvesting. Before installing or using this skill consider these steps: 1. Inspect the Python scripts (they are included) for any network calls to unexpected domains or hard-coded endpoints. Verify all outgoing endpoints are legitimate (Yahoo, CoinGecko, Google News, SEC, etc.). 2. If you need Twitter/X data, create a controlled API credential (developer app) and provide only those keys; avoid using browser cookies. Ask the maintainer to support official API keys and to document required env vars in the manifest. 3. Do not grant Terminal Full Disk Access. If the bird CLI truly requires browser cookies, reject that approach or run the scanner in a tightly controlled sandbox/VM isolated from personal data. 4. Keep .env files and any saved tokens in a secure location with limited file permissions; consider using platform secure storage instead of plaintext files. 5. Because the skill's manifest omits required tooling and env vars, prefer running it in an isolated environment (container or VM) and review the code's network behavior while executing (or run tests) before granting any elevated host permissions. Given the privileged instructions around cookie extraction and undeclared dependencies, treat this skill as suspicious until those inconsistencies are reconciled by the author (declare bird and required env vars in metadata, remove cookie-harvesting instructions, or switch to official API keys).

Type: OpenClaw Skill Name: stock-analysis-6-2-0 Version: 1.0.0 The skill is classified as suspicious due to its explicit requirement for users to provide Twitter/X authentication tokens (AUTH_TOKEN and CT0, which are session cookies) in an `.env` file. The `scripts/hot_scanner.py` and `scripts/rumor_scanner.py` files then load these environment variables and execute an external `bird` CLI via `subprocess.run` to interact with the user's Twitter/X account. While the stated purpose is benign (social sentiment analysis), this grants the skill direct access to the user's social media session, representing a high-risk capability that could be exploited for unauthorized actions if the `bird` CLI or the skill's code were compromised or misused. There is no clear evidence of intentional malicious behavior, but the inherent risk associated with handling and using active session cookies for an external service warrants a 'suspicious' classification.