ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock (XiaoDing)

v1.0.2

Retrieve real-time stock data including price, change, volume, and turnover for A-share, Hong Kong, and US markets via Sina Finance.

0· 137·0 current·0 all-time
by@asterisk622
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and SKILL.md state support for A‑share, Hong Kong, and US markets and even show US examples (AAPL, MSFT). The shipped bin/stock.js only accepts 6‑digit numeric symbols (A股) and 5‑digit numeric symbols (港股) and explicitly rejects non‑numeric symbols, so US tickers are not supported. This is a clear mismatch between claimed capability and actual implementation. Minor metadata inconsistencies also exist (_meta.json owner differs from registry owner), which may indicate copy/paste or packaging errors.
Instruction Scope
Runtime instructions and the code are narrow: the tool performs an HTTPS GET to https://hq.sinajs.cn and parses the response; it does not read files, env vars, or other system state. This behavior is consistent with the stated purpose for A/HK markets, but the SKILL.md instructs usage for US tickers even though the code will fail for them.
Install Mechanism
No install spec or external downloads are declared. The package is instruction/code-only with a local bin script and package.json. Nothing is fetched from third‑party URLs at install time.
Credentials
The skill requests no environment variables, no credentials, and no config paths; the code does not attempt to access secrets. Network access to Sina Finance is required and is proportional to the task.
Persistence & Privilege
always is false and user invocation is required; the skill does not request elevated system presence or modify other skills/configurations.
What to consider before installing
This skill will fetch A‑share and Hong Kong stock quotes from Sina Finance and does not request any credentials, so the runtime footprint is small and expected. However, the documentation claims US market support and shows US ticker examples even though the included script rejects non‑numeric symbols — do not rely on it for US stocks. If you need US quotes, ask the author to confirm/support them or review/modify bin/stock.js to add US support. Also note minor metadata inconsistencies (owner/slug/version) which suggest the package may have been copied or repackaged; if provenance matters, request clarification from the publisher before installing or enabling it for autonomous use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b2ah0hwjy3vkb5hrhb05e1d83egs6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments