Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TickHub
v0.0.1股票实时行情查询技能。支持A股、港股、美股个股的实时价格、涨跌幅、成交量查询。 Use when: 用户询问某只股票的"股价"、"行情"、"涨了没"、"多少钱了"。 NOT for: 历史K线分析、技术指标计算、投资建议推荐。
⭐ 1· 60·0 current·0 all-time
by@oct16
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to fetch real-time quotes from 东方财富/新浪 but the only concrete API example in SKILL.md calls https://tickhub.net/stock/600519 — an unverified third‑party endpoint. No homepage or source repository is provided to justify using that domain.
Instruction Scope
Instructions are narrowly scoped to extracting a ticker and calling a market-specific realtime API, parsing JSON, and formatting output. However the SKILL.md gives only one concrete external endpoint (tickhub.net) rather than the claimed official providers, which could redirect queries and user data to an unknown operator.
Install Mechanism
Instruction-only skill with no install steps or code files; nothing is written to disk and no packages are fetched during install.
Credentials
The skill declares no environment variables, credentials, or config paths — requested access is minimal and proportional to the stated purpose.
Persistence & Privilege
always is false and the skill has default invocation behavior. It does not request persistent or elevated system privileges.
What to consider before installing
Proceed with caution. The main issues: (1) the SKILL.md references official Chinese providers but uses an unverified endpoint (tickhub.net) in the example — that endpoint could log queries, IPs, or return modified data; (2) there is no source repo or homepage to verify who operates the service. Before installing: ask the publisher for the real API endpoints and operator info; prefer skills that call documented official APIs (eastmoney/sina) or provide their source code; if you must use it, test in a sandboxed environment and monitor outbound network requests; never provide credentials to this skill and limit its use to non-sensitive queries until the endpoint/operator is verified.Like a lobster shell, security has layers — review code before you run it.
latestvk975f2xczm1w9zhwzzbdbwbcfd84527r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.