ClawHub

Finnhub Skill

v1.0.0

Provides real-time US stock quotes and financial data using the Finnhub API and Python.

2· 1.8k·5 current·6 all-time
by@keyfrog-21k
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md and scripts/app.py describe fetching real-time quotes from Finnhub and require a Finnhub API key — that is coherent with the stated purpose. However, the registry metadata lists no required environment variables while SKILL.md requires finnhub_api_key, and the skill has no published homepage/source (source=unknown). This is likely a packaging/metadata omission but is inconsistent.
Instruction Scope
Runtime instructions are narrowly scoped to installing finnhub-python, setting finnhub_api_key, and running scripts/app.py. The code only initializes the Finnhub client and calls the quote API. There is a bug in scripts/app.py: main passes a list to get_quote (get_quote([sys.argv[2]])) while get_quote expects a string, and the argv indexing/checks are sloppy; this can cause runtime errors but is not evidence of malicious behavior.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. SKILL.md suggests installing the finnhub-python pip package; this is standard for Python integrations. No downloads from untrusted URLs or archive extraction are present.
Credentials
The only secret the skill needs is the Finnhub API key (finnhub_api_key), which is appropriate for a Finnhub integration. The inconsistency is that the registry metadata does not declare this required env var; SKILL.md and the script do. No other credentials or system config are requested.
Persistence & Privilege
The skill does not request always:true and does not claim persistent system-wide privileges. It does not modify other skills' configurations or require elevated access.
Assessment
This skill appears to do what it says: call Finnhub for stock quotes. Before installing: (1) Be aware the registry metadata omits the required environment variable — you must set finnhub_api_key in the agent environment. (2) The skill's source/homepage is unknown; prefer skills with a verifiable repository or publisher. (3) The included script has a small bug (it passes a list instead of a string and has fragile argv checks); you may want to review/fix scripts/app.py before running. (4) Only provide your Finnhub API key if you trust the skill publisher; keep keys scoped and rotate them if exposed. (5) If you need stronger assurance, request the skill's upstream source or a checksum of the code before using it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqscv69v3nrqytrjv8tp6k180fgvd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments