ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Today Earnings

从 Yahoo Finance 获取财报日历数据。适用于查询指定日期或当天财报、输出公司列表、按财报发布时间区分 BMO/AMC/TNS。当前实现基于 Chrome Extension + Native Messaging,需要本地安装 Chrome 扩展、Native Host、Google Chrome 与...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 43 · 0 current installs · 0 all-time installs
byholenlin@lhl09120
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (fetch Yahoo Finance earnings) match the provided code: a Chrome extension opens the Yahoo earnings page, a content script parses the DOM, and a native host + CLI glue the local invocation. Required permissions (tabs, scripting, nativeMessaging, host permission for finance.yahoo.com) are proportional to the stated purpose. Minor mismatch: several design/docs statements say the first version will "only keep AMC/BMO", but parser.js and the runtime transform accept AMC/BMO/TNS (and parser.js's comment even says it preserves all earningType). This discrepancy between docs and code should be resolved.
!
Instruction Scope
SKILL.md and references instruct installing a Chrome extension and native host and running the CLI — all within scope. However, implementation details expand the runtime surface: the native host, once launched by Chrome, starts a persistent UNIX socket server at /tmp/today-earnings.sock that will accept connections from any local process. That socket allows any local actor to request the extension perform fetch requests (the extension is hardcoded to finance.yahoo.com calendar URLs only). This is expected for the CLI design but is a non-trivial local-IPC exposure that the documentation doesn't explicitly warn about or harden.
Install Mechanism
There is no remote download of executable code; the repo contains an install.sh that writes native messaging manifests and wrapper scripts and guides Windows registry registration. Installation writes files into user Chrome native messaging locations or generates Windows artifacts — standard for native messaging hosts. No external network fetches or URL shorteners are used by the install scripts.
Credentials
The skill requests no environment variables or external credentials — appropriate. It does require Node.js and a local Chrome instance and to register a native messaging host manifest. The notable proportionality issue is the persistent /tmp socket: the host creates a local IPC endpoint without explicit client authentication, which increases local attack surface (other local users/processes could connect).
!
Persistence & Privilege
always:false (good). But the background service worker sets a frequent alarm to keep itself alive and the native host, when launched by Chrome, runs a long-lived socket server. The combination (persistent host + open UNIX socket) grants the skill sustained local presence and locally-exploitable IPC; the skill also instructs installing manifests into user Chrome config and modifying HKCU on Windows. None of that is inherently malicious, but it raises persistence/privilege considerations that the user should be aware of.
What to consider before installing
What to consider before installing: - This skill implements exactly what it claims: a Chrome extension + Native Messaging host + Node CLI to scrape Yahoo Finance. You must load the extension and run the provided install script (or run the generated Windows .bat) so Chrome can launch the native host. - Local-IPC exposure: when the host is started by Chrome it creates a UNIX domain socket at /tmp/today-earnings.sock that accepts requests from any local process. That means any local user or process could connect to the socket and cause the extension to open the Yahoo Finance earnings page and return scraped data. If you run multi-user systems or run untrusted local processes, treat this as a risk. Consider inspecting/adjusting the socket path and file permissions or running on an isolated account/machine. - Documentation vs. implementation mismatch: some docs say only AMC/BMO records will be kept, but the parser/transform code preserves AMC/BMO/TNS (and parser.js contains comments that differ from design.md). If you rely on strict filtering, review parser.js and scripts/get-company-list.mjs to confirm the actual behavior before using results programmatically. - Review produced files before running install.sh: install.sh writes manifest files and wrapper scripts and may prompt you to use sudo for system locations. Ensure the manifest's "path" is correct and points to trusted code (native-host/host.js or the generated run-host wrapper). On Windows, the generated install-windows.bat modifies HKCU (user registry) — review it before execution. - If you decide to install: run it on a single-user, trusted machine; verify /tmp/today-earnings.sock permissions after host start; consider removing the extension and native host artifacts when no longer needed (delete manifest files, wrapper scripts, and any generated Windows registry keys/manifest entries). - If you want higher assurance: ask the author to (1) restrict the socket to a less-global path and set restrictive file permissions, (2) add an authentication token exchanged by CLI and host, or (3) make the host accept connections only from a launched CLI process rather than any local process. If those changes are present, I would raise confidence to benign.

Like a lobster shell, security has layers — review code before you run it.

Current versionv4.3.4
Download zip
latestvk970ds0yv8b32aa61mx7b9bzfs830qq2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Today Earnings

通过 Chrome Extension + Native Messaging 打开 Yahoo Finance 财报日历页面,并返回结构化 JSON。

快速流程

  1. 先安装并加载 chrome-extension/,拿到扩展 ID。
  2. 运行 bash native-host/install.sh <扩展ID> 安装 Native Host。
  3. chrome://extensions 刷新扩展。
  4. ./scripts/get-company-list.sh [日期] 获取结果。

常用命令

# 今天
./scripts/get-company-list.sh

# 指定日期
./scripts/get-company-list.sh 2026-03-14

资源导航

  • 读取 references/usage_guide.md:当你需要完整安装步骤、运行方式、输出格式、报错排查时。
  • 读取 references/yahoo_earnings_calendar.md:当你需要查看 Yahoo 页面结构、字段映射、DOM 假设和解析维护点时。
  • 读取 design.md:当你需要理解扩展、Native Host、Node CLI 之间的整体架构时。

组件职责

  • scripts/get-company-list.sh:命令入口,负责参数透传与 Node CLI 调用。
  • scripts/get-company-list.mjs:负责 socket 通信、参数校验、JSON 输出(含市值数字化转换)。
  • chrome-extension/:负责打开页面、等待内容加载、注入解析逻辑。
  • native-host/:负责 Chrome Native Messaging 与本地 socket 桥接。

使用提醒

  • 当前实现依赖本地 GUI 环境,不能在纯无头环境中直接完成完整流程。
  • 若 Chrome 尚未启动,请先通过命令行打开浏览器,再运行脚本: 
    # macOS
open -a "Google Chrome"
# Linux
google-chrome &
# Windows (PowerShell)
Start-Process "chrome"
  • 运行前必须确保 Chrome 已启动,扩展已加载,Native Host 已安装。
  • 当前能力以单日期查询为主;如页面结构变化,优先检查 references/yahoo_earnings_calendar.md 中的解析假设。
  • Linux 用户注意:Ubuntu snap 版 Chromium 不支持 Native Messaging,建议使用 deb 版 Google Chrome。
  • Windows 用户需在 install.sh 生成文件后,额外运行 native-host/install-windows.bat 完成注册表注册。详见 references/usage_guide.md

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…