Back to skill
Skillv1.0.3
ClawScan security
free-stock-global-quotes-news · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 1:01 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and environment requests are coherent with its stated purpose of fetching stock quotes and news from Yahoo, Tencent, EastMoney, AkShare and Finnhub; nothing in the files indicates unexplained credential access or hidden exfiltration.
- Guidance
- This skill appears to do exactly what it says: fetch quotes/news from public providers. Before installing: (1) Understand it performs network requests to Yahoo, qt.gtimg.cn, push2.eastmoney.com, finnhub.io and (optionally) uses AkShare if installed. (2) Only provide a FINNHUB_API_KEY if you trust the skill and want Finnhub fallback; that key will be sent to finnhub.io as expected. (3) The SKILL.md suggests editing systemd to set a proxy — that is optional and affects your system service if you perform it. (4) If you need stricter isolation, run the skill in a sandboxed environment or review the scripts locally; the code is readable and not obfuscated.
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts: quote.py, cn_quote.py, news.py, cn_news.py implement US/HK/CN quote/news retrieval using Yahoo/Finnhub/Tencent/EastMoney/AkShare. Required binary (python3) and optional dependency (akshare) are proportionate to the task.
- Instruction Scope
- noteSKILL.md instructs the agent to run the included Python scripts and documents the environment variables the scripts read (FINNHUB_API_KEY, HTTPS_PROXY, HTTP_PROXY, OPENCLAW_* settings). It also suggests optional system administration steps (editing a systemd service file) to apply a proxy globally — that instruction reaches outside the skill directory and should be considered an optional system-level change rather than a required action.
- Install Mechanism
- okNo install spec; this is instruction/code-only and requires nothing to be downloaded at install time. The code relies on standard Python stdlib network calls and an optional akshare package (declared). No external arbitrary download/install URLs are present.
- Credentials
- okNo required secrets are declared. The only optional credential is FINNHUB_API_KEY (needed only for Finnhub fallback/news for US stocks). Proxy env vars are optional and documented. The scripts also read OPENCLAW_* runtime tuning env vars (documented in SKILL.md). There are no unexpected credential requests or config paths.
- Persistence & Privilege
- okSkill does not request always:true and is user-invocable only. It does not modify other skills or system configuration by itself; SKILL.md gives optional manual steps to change systemd if the operator chooses to do so.