ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Finance Data Fetcher

v1.0.0

Fetch real-time and historical Chinese A-share market data, including quotes, financial reports, capital flows, and fundamental indicators using AkShare.

0· 461·6 current·6 all-time
by@gbabyzs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the declared dependencies and usage of AkShare and public Chinese finance sources — requesting no credentials is proportionate. However, skill.json declares a main module (skill_main.py) and exports functions, while no code files are present; the SKILL.md example imports from skill_main. That mismatch means the package does not actually provide the code necessary to fulfill its purpose.
!
Instruction Scope
SKILL.md instructs installing akshare/pandas/numpy/requests and shows example calls to fetch_stock_quote etc., but it relies on a local module (skill_main) that is not included. The instructions do not ask the agent to read unrelated files or secrets, but they assume an implementation that is missing — runtime behavior is therefore undefined and could lead to ad-hoc implementations with broader scope if the agent or user fills in the gap.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. But skill.json lists dependencies (akshare, pandas, requests) while SKILL.md's pip example also includes numpy — a small inconsistency. No external download URLs or installers are present.
Credentials
The skill requests no environment variables, credentials, or config paths. Given the stated data sources (AkShare, Sina, EastMoney) this is reasonable; no secret access is required by the provided instructions.
Persistence & Privilege
always is false and autonomous invocation is allowed by default. The skill does not request elevated persistence or system-wide changes and provides no installers that write files. No code is included that would persist on disk as part of the skill package.
What to consider before installing
This skill claims to provide Python functions (fetch_stock_quote, etc.) but does not include the implementation (no skill_main.py). Before installing or using it, ask the publisher for the missing source or an official homepage/repo. Do not blindly pip install dependencies from an unknown package—verify the author and repository. If you decide to proceed: (1) obtain the code and review it for network endpoints and data exfiltration, (2) run installs and the code in a sandbox or virtual environment, (3) confirm dependency list matches the code (SKILL.md lists numpy but skill.json does not), and (4) verify licensing and that scraping/data usage complies with the data providers' terms. The current package is internally inconsistent; resolve those gaps to reduce risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk9753q81axwmc8z3rv2t13agm982yq4e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments