ClawHub

F-AI 金融数据

v1.0.0

提供全球股票、指数、基金、债券等多品类金融数据的实时与历史行情查询及公司基本面分析服务。

2· 175·0 current·0 all-time
by@czzlegend
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the provided SKILL.md and reference docs. The package contains a manifest, docs, and an installer that copies the skill into a local .agents/skills folder—consistent with installing a skills bundle for market-data queries.
Instruction Scope
Instructions require direct HTTP POSTs to https://papi-uat.finloopg.com/flp-mktdata-hub and explicitly forbid creating local JS/TS wrapper files. Direct POSTs to the external UAT host are coherent for an API-based data skill, but the ban on wrappers is unusual (limits agent implementation flexibility) and the docs do not mention any authentication or API keys—verify whether the API requires credentials.
Install Mechanism
No remote downloads or package installs. The included lib/install.js and bin/finloop-skills.js copy the skill bundle into a .agents/skills directory under the current working directory. This writes files locally but does not fetch external code—reasonable for a local skill installer.
Credentials
The skill declares no required env vars, binaries, or config paths. That aligns with the supplied SKILL.md which shows unauthenticated example calls, though absence of any auth mention is surprising for a market-data API and should be confirmed.
Persistence & Privilege
always is false and the installer only writes into the project's .agents directory (with a user prompt on overwrite). The skill does not request system-wide privileges or modify other skills' configs.
Assessment
This package appears to be a straightforward market-data skill bundle, but check these before installing: 1) Confirm the API host: the docs point to a UAT base URL (https://papi-uat.finloopg.com/...). Make sure you intend to call UAT versus a production endpoint. 2) Authentication: there are no API key or credential fields in the manifest or SKILL.md—verify whether the API actually requires an auth token and how to provide it safely. 3) Review local install: npx install will copy files into your project's .agents/skills directory and will prompt before overwriting; run the installer from a directory where this is acceptable. 4) Strange restrictions and minor copy/paste errors (e.g., publish.sh mentions a different package) are likely benign but indicate the package may be lightly maintained—inspect the files locally before running network calls. If you need higher assurance, ask the publisher for a production base URL, authentication details, and source repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dq3q63knahwccnc73aw040s834k56

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments