Safety Report

Finance News Briefings

Name: Finance News Briefings
Rating: 3 (7 reviews)
Author: kesslerio

Market news briefings with AI summaries. Use when asked about stock news, market updates, portfolio performance, morning/evening briefings, financial headlines, or price alerts. Supports US/Europe/Japan markets, WhatsApp delivery, and English/German output.

6,231Downloads

24Installs

7Stars

2Versions

Customer Support1,744 Networking & DNS1,102 Notifications & Alerts1,061 DevOps & Infrastructure1,045

Security Analysis

medium confidence

Suspicious0.08 risk

The skill mostly does what its description says (gather RSS, summarize, deliver briefings) but the package and docs ask for/assume additional capabilities and sensitive configuration (message targets, browser cookies, external CLIs) that are not declared in the registry metadata and could lead to unexpected message delivery or credential exposure if you install/run it without review.

Feb 11, 202666 files5 concerns

Purpose & Capabilityconcern

The declared skill purpose (market news briefings) matches the repository contents (RSS fetchers, summarizers, delivery workflows). However the registry metadata lists no required env vars or binaries while README/SKILL.md and scripts clearly assume use of external CLIs (openclaw, lobster), and environment variables like FINANCE_NEWS_TARGET and FINANCE_NEWS_CHANNEL. That mismatch (no declared requirements but the code expects delivery targets and CLI tools) is incoherent and could surprise users.

Instruction Scopeconcern

Runtime docs and cron scripts instruct the agent to read/write local config files (config/config.json, config/portfolio.csv), schedule cron jobs, and run Lobster/OpenClaw workflows that send messages. The docs also include an explicit procedure to export browser session cookies into config/cookies.json to fetch paywalled content — this requires copying session tokens (sensitive data) from your browser into a local file. The SKILL.md and included docs therefore ask for potentially sensitive data and to perform system changes (cron entries, message sends) outside simple summarization.

Install Mechanismnote

There is no formal install spec in the registry (instruction-only), but the bundle includes many code files, Dockerfile, and Python scripts. README recommends Docker or native Python install (venv + pip). No remote download URLs or archive extracts are used here, which lowers install risk, but you should still inspect and/or run inside an isolated container before giving it network or messaging permissions.

Credentialsconcern

Registry metadata declares no required environment variables, yet scripts and README rely on FINANCE_NEWS_TARGET, FINANCE_NEWS_CHANNEL, and SKILL_DIR. The cron scripts provide a default FINANCE_NEWS_TARGET value (a WhatsApp group JID: [email protected]) if the variable is unset — that default target could cause messages to be sent to an external group unintentionally. The docs also advise creating config/cookies.json containing session tokens for premium sources — storing browser cookies locally is sensitive and not justified for most users. Overall requested/assumed environment access is underdeclared relative to the code and docs.

Persistence & Privilegenote

The skill is not marked always:true and does not request elevated platform privileges. However its instructions and cron scripts encourage adding scheduled jobs (crontab or openclaw cron) and running Lobster workflows that will automatically send briefings. That means once installed and configured, it can persistently send messages on a schedule (normal for this use case) — users should be explicit about cron additions and the delivery target before enabling automation.

Guidance

Before installing or enabling this skill: 1) Inspect the code (scripts/fetch_news.py, scripts/briefing.py, cron/*.sh, workflows/*). Look for any hardcoded endpoints or default targets and remove or change them. 2) Do not rely on the registry metadata alone — set FINANCE_NEWS_TARGET and FINANCE_NEWS_CHANNEL to safe values you control before running any cron/workflow. The cron scripts default to a WhatsApp group JID; change that default or export explicit values to avoid accidental message sends. 3) Avoid following the premium-sources cookie export unless you understand the risk: copying browser session cookies into config/cookies.json grants the skill full access to your account and should only be used if you trust the code and host it locally in a secure environment. 4) Run the skill inside an isolated environment (Docker or dedicated VM) and review network activity if possible. 5) If you plan to enable scheduled briefings, first run one-off commands manually to verify outputs and delivery. 6) If you are not comfortable auditing code, prefer using free sources only (as recommended in docs) and avoid adding cookie-based premium sources or automatic cron jobs. These checks will reduce the risk of unintended data exposure or message delivery.

Latest Release

v1.0.1

- Added comprehensive HTML coverage reports (htmlcov/) for testing and code quality insights. - Introduced new tests for earnings, summary, alerts, research, and stock functionalities. - Updated and extended test cases for earnings and summarization modules to improve reliability.

More by @kesslerio

Frontend Design Ultimate

36 stars

Academic Deep Research

24 stars

Phone Voice Agent

6 stars

Stealth Browser

4 stars

SoulCraft

3 stars

TechMeme News

3 stars

Published by @kesslerio on ClawHub