Finnhub Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a simple Finnhub stock-quote skill, with the main things to notice being its Finnhub API key use and a user-directed Python package install.
Before installing, make sure you are comfortable providing a Finnhub API key via the finnhub_api_key environment variable and installing the finnhub-python package. The artifacts do not show hidden data collection, persistence, destructive actions, or behavior outside the stated stock-quote purpose.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill needs access to a Finnhub API key to make authenticated Finnhub API requests.
The script reads a Finnhub API key from the environment and uses it to authenticate to the Finnhub client. This is expected for the stated stock-data purpose, but it is still credential use that users should understand.
finnhub_api_key = os.getenv('finnhub_api_key')
client = finnhub.Client(api_key=finnhub_api_key)Use a Finnhub key with only the access needed for this skill, keep it out of shared logs or prompts, and set it only in the intended environment.
Installing the dependency will add third-party Python code to the local environment.
The skill asks the user to install an external Python package without pinning a version. This is a normal dependency for the stated Finnhub purpose, but unpinned package installs have some supply-chain risk.
- Finnhub pip package `pip3 install finnhub-python`
Install from a trusted Python package index, consider pinning a known-good version, and review dependency provenance if using this in a sensitive environment.