A股龙虎榜市场数据API接口
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: lhb-api Version: 1.0.3 The skill provides a Python client and documentation for accessing A-share market data (Dragon Tiger List and money flow) via a remote API. The code in scripts/client.py is a straightforward implementation using urllib to perform GET requests to the documented endpoints at http://fffy520.gicp.net:8003. No evidence of data exfiltration, malicious execution, or prompt injection was found, and the behavior is entirely consistent with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Stock/date queries and returned market data could be observed or altered on the network; the artifacts do not show local files or credentials being sent.
The client sends requested API calls to an external provider over plain HTTP. This is disclosed and central to the market-data purpose, but the connection is not encrypted.
def __init__(self, base_url: str = "http://fffy520.gicp.net:8003"):
Use only non-sensitive queries with this endpoint, avoid sending any API key over plain HTTP unless the provider offers HTTPS, and verify important financial data independently.
If the service requires paid or keyed access, users may need to manage credentials outside the skill and should understand what account information the API exposes.
The documentation references account status, keys, and invalid credentials, while the provided metadata declares no primary credential and the included client does not implement authentication. This is a documentation/credential-scope ambiguity, not evidence of credential misuse.
GET /api/account ... 查询当前的套餐类型、剩余配额和有效期 ... 30次/秒/Key ... 401 | 无效凭证
Confirm the provider's authentication method before use; keep any API key limited to this service and do not provide brokerage, bank, trading, or unrelated account credentials.