ClawHub

Tecent Finance

v1.0.0

Get stock prices, quotes, and compare stocks using Tencent Finance API. No API key required. Supports US stocks, China A-Shares, Hong Kong stocks. Optimized for use in mainland China.

6· 3.5k·22 current·22 all-time
by@pz325
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to provide a Python CLI named 'tfin' for Tencent Finance, but the bundle contains only SKILL.md and no code or install spec. The README assumes a tfin file exists at /path/to/skills/tencent-finance/tfin, which is not present in the published manifest — this is inconsistent and prevents verification of what the tool actually does.
!
Instruction Scope
Runtime instructions tell the user/agent to chmod a tfin binary and optionally symlink it into /usr/local/bin, then run that binary to fetch data from Tencent's API. Because the binary/source is missing, those instructions would either do nothing or depend on an external, unspecified binary. The instructions also direct network access (calling Tencent APIs) which is expected for the stated purpose but should be traceable to the included code; here it is not.
Install Mechanism
There is no install spec provided (lowest-risk in terms of automatic code execution). However, SKILL.md implies manual installation of a script that is not included and gives no authoritative download URL, release host, or repository to verify — that omission is a red flag because it forces users to obtain a binary from an unspecified source before use.
Credentials
The skill does not request environment variables, credentials, or config paths. The declared runtime requirements (Python 3.7+, requests, rich) are proportional to a CLI that queries a public finance API.
Persistence & Privilege
The skill does not request persistent privileges and always:false. However, the instructions recommend creating a symlink in /usr/local/bin (system-wide executable path), which requires elevated privileges and modifies system state — users should not place an unreviewed binary into that location.
What to consider before installing
Do not install or run an unreviewed 'tfin' binary. The skill package contains only documentation and no code or authoritative install source. Ask the publisher for the source repository or an official release URL and a copy of the tfin script so you (or someone you trust) can inspect it. If you must try it, run it inside an isolated environment (container or VM) and avoid creating system-wide symlinks in /usr/local/bin until you verify the code. Prefer packages distributed via a verifiable registry (PyPI, GitHub releases) with checksums/signatures. If the author cannot provide source or a trustworthy install method, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk974za9bnakmfcrbqvf18930x180vpha

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments