股票查询
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: stock Version: 1.0.0 The skill bundle is benign. The `SKILL.md` provides clear, non-malicious instructions for the AI agent. The `bin/stock.js` script fetches stock data from `https://hq.sinajs.cn` using the built-in Node.js `https` module. Input validation for stock symbols is robust, preventing injection vulnerabilities. There are no attempts to access sensitive data, execute arbitrary commands, establish persistence, or exfiltrate information. All actions are aligned with the stated purpose of querying stock prices.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may expect U.S. stock lookups to work, but the tool will reject those symbols.
The executable only supports 6-digit A-share and 5-digit Hong Kong symbols, which contradicts the user-facing claim that U.S. stocks such as AAPL/MSFT are supported.
reject(new Error('暂只支持A股(6位数字)和港股(5位数字)'))Treat the skill as an A-share/Hong Kong stock lookup unless the code is updated to implement U.S. stock support.
The skill may require a Node runtime even though the registry requirements do not call that out.
The package exposes a Node-based CLI and declares a Node runtime requirement, while the registry metadata lists no required binaries or install spec. This is under-declared setup context, not hidden execution.
"bins": [{ "name": "stock", "path": "bin/stock.js" }], "requires": { "node": ">=14" }Confirm Node is available and review the included bin/stock.js before installing or invoking the CLI.
Sina Finance can see the stock symbols you query through this tool.
The tool sends the validated stock code to Sina Finance to retrieve quote data. This external provider call is disclosed and necessary for real-time market data.
const url = `https://hq.sinajs.cn/list=${code}`; ... https.get(url, { headers: { 'Referer': 'https://finance.sina.com.cn' } }Use the skill only when you are comfortable sending queried tickers to Sina Finance; no credentials are required.