Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
通达信TDX股票查询技能
v1.0.0基于TDX API的股票数据查询技能,提供全面的A股市场数据查询功能,包括实时行情、K线数据、分时数据、分时成交、股票搜索、指数数据、ETF数据、市场统计、个股新闻、股票公告等31个API接口。当用户询问股票相关信息时调用。
⭐ 0· 30·0 current·0 all-time
by@bensema
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md match the stated purpose: a client for a TDX-style stock data API. Requiring a TDX API endpoint (TDX_API_URL) and optionally an AKSHARE_API_URL is appropriate for this functionality. However, the registry metadata claims no required env vars/credentials while the runtime instructions and code require TDX_API_URL (and optionally AKSHARE_API_URL), which is an inconsistency between metadata and actual requirements.
Instruction Scope
Runtime instructions and code are narrowly scoped: they direct the agent to read TDX_API_URL (and optionally AKSHARE_API_URL), call HTTP endpoints on that API, and expose many query methods. The SKILL.md does not instruct reading unrelated files, broad environment data, or sending data to unexpected third‑party endpoints. The code uses requests to call only the configured API URL(s).
Install Mechanism
No install spec is provided (instruction-only install), and included requirements are standard libraries (requests, python-dotenv). No downloads from arbitrary URLs or archive extraction are present. This is low-risk from an install mechanism perspective.
Credentials
The skill legitimately needs a user-supplied API URL (TDX_API_URL) and optionally AKSHARE_API_URL, which are not secrets but are required to function. The registry metadata, however, lists no required env vars/primary credential while SKILL.md and main.py require them — this mismatch is concerning because it can mislead users about what will be accessed. There are no requests for unrelated secrets or broad credentials.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It performs network calls to the user-configured API only and does not appear to persist data on the host beyond what the remote API might do; no elevated privileges are requested.
What to consider before installing
This package is functionally coherent with a TDX API client, but note that SKILL.md and main.py require you to set TDX_API_URL (and optionally AKSHARE_API_URL) even though the registry metadata did not declare those environment variables. Before installing or enabling the skill: 1) Inspect and confirm the API URL you will set is a trusted server (the skill will send requests and any user-provided query data to that URL). 2) If you plan to use the included tests, be aware the test files reference a private IP (10.0.0.8) — replace with your own trusted endpoint. 3) Because the metadata omission could be accidental, consider asking the publisher to correct the registry fields or review the code yourself; run the skill in a sandboxed environment until you verify behavior. If you need higher assurance, validate network traffic from the skill to ensure it only communicates with the configured API endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97dn5bypyzafn5nyzxcxcct2x844bdc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.