ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Stock Market 1.0.0

v1.0.0

Provides real-time A-share stock market data from Sina Finance API for individual stocks and indices by code.

0· 115·0 current·1 all-time
by@nicenasa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to use Sina Finance in the package description and SKILL.md, but the README and the included a-stock.py actually call Tencent's API (https://qt.gtimg.cn). Functionality (fetching A‑share quotes) is coherent, but the declared data source and some metadata owner IDs are inconsistent and potentially misleading.
Instruction Scope
Runtime instructions and the script stay within the stated purpose: they take stock codes, call a public quote API, parse and print results. The code does not read other files, environment variables, or send data to unexpected endpoints beyond the quote API.
Install Mechanism
There is no automated install spec. This is an instruction-only skill with an included Python script. README suggests creating a symlink into /usr/local/bin (requires sudo) or running the script directly. No downloads or archive extraction are performed by the skill itself.
Credentials
The skill requests no environment variables, no credentials, and accesses no config paths. Network access to the public Tencent quote endpoint is the only external resource used, which is proportional to its function.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. README suggests a system-wide symlink (/usr/local/bin) which requires elevated privileges — this is a local install choice and not required by the skill, but users should be cautious about running sudo for third-party code.
What to consider before installing
This script appears to do what it says (fetch A‑share quotes) and does not request secrets, but there are inconsistencies you should clear up before installing: 1) SKILL.md and the package description mention Sina Finance while the actual script and README use Tencent's API (qt.gtimg.cn) — confirm which data source you trust. 2) The README advises creating a system symlink with sudo; avoid using sudo on untrusted code — you can run the script directly (python3 a-stock.py ...) or put a copy in a user-local bin directory (~/.local/bin) instead. 3) Review the a-stock.py source yourself (it is short and readable) or run it in an isolated environment to observe network calls. If you need guarantees about provenance or updates, ask the publisher for a canonical homepage or repository and verify the owner metadata mismatch before granting any elevated install actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9781j5c2rpw8ky662rhggqh3s839hqq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments