ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

financial-market-data

v1.0.2

Provides unified access to multi-source financial market data including stocks, futures, ETFs, realtime quotes, sectors, financials, and macroeconomic indica...

1· 33·0 current·0 all-time
byBJ_denglun@bjdenglun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is unified market-data access and the code implements multiple data-source fetchers (ths/akshare/pytdx/baostock/tickflow). However skill.yaml contains a 'token_required' entry including a concrete EastMoney MX API key and the Python template hard-codes the same key — while the registry metadata and SKILL.md declare no required env vars/credentials. Embedding a service token in metadata/code is inconsistent with the declared requirements and is not necessary for most of the documented functionality (many sources are public/free).
Instruction Scope
SKILL.md stays within the expected scope (copy folder, install Python deps, import functions). The runtime instructions encourage adding the skill directory to sys.path and calling provided functions. The only scope concern is that examples refer to an MX API key the user should supply, but the shipped template includes a baked-in key; otherwise the instructions do not ask the agent to read unrelated local files or secrets.
Install Mechanism
There is no automated install that downloads arbitrary archives. SKILL.md recommends pip-installing public Python packages (tickflow, akshare, baostock, pytdx, requests, pandas) or using a tool 'uv sync'. Using pip is typical for Python skills; this is moderate-risk but proportionate to the purpose. No obscure download URLs or extract actions are used.
!
Credentials
The package declares no required environment variables, yet the code and skill.yaml include a concrete EastMoney MX API key. Requiring or bundling a third-party API key in the package is disproportionate: it exposes/redistributes a credential the user may not expect, and it contradicts the manifest that lists no external credentials. There's also network access to several external endpoints (d.10jqka.com.cn, mkapi2.dfcfs.com, push2.eastmoney.com, and a pytdx host IP), which is expected for a market-data skill but worth noting.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configs, and has no required config paths. It will run as a normal, user-invoked/autonomous skill with network access — standard for this type of skill.
What to consider before installing
This skill appears to implement market-data fetchers for many public sources, which matches its description, but it embeds a concrete EastMoney MX API key/token in skill.yaml and in python/template.py while declaring no required credentials. Before installing: (1) Treat the embedded API key as suspicious — decide whether you want to use it or replace it with your own key; hard-coded keys can be revoked, rate-limited, or violate a provider's terms. (2) Review and, if needed, remove the hard-coded key from template.py and skill.yaml, and update the code to read credentials from environment variables or a user-provided config. (3) Install and run in an isolated environment (virtualenv/container) because the skill will perform outbound network calls to several third-party hosts (10jqka/dfcfs/push2/eastmoney and a pytdx host IP). (4) Verify the third-party Python packages (tickflow/akshare/baostock/pytdx) are from trusted sources and pin versions if you plan to deploy. (5) If you require stronger assurance, request the upstream/source author or a signed release and clarify why a provider token is embedded in distributed metadata. These inconsistencies make the package suspicious but not demonstrably malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk971fck25h0pby9n1t0nr23n0584843m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments