ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

allstock-data

v1.0.2

Stock market data query skill for China A-shares, Hong Kong, and US markets. Uses Tencent Finance HTTP API by default (lightweight, no install needed), with...

0· 1.4k·19 current·20 all-time
byAIWareTop@hacksing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (stock data for A-shares, HK, US) matches the SKILL.md: it documents Tencent Finance HTTP endpoints for real-time quotes, K-line history, and order-book data, and an optional adata SDK for more features. No unrelated services or credentials are requested.
Instruction Scope
Runtime instructions are limited to making HTTP requests to documented Tencent endpoints (qt.gtimg.cn, web.ifzq.gtimg.cn) and showing how to use the adata SDK. There are no instructions to read local files, harvest environment variables, or exfiltrate data to unexpected endpoints. Notes about GBK decoding and request-rate caution are appropriate for the task.
Install Mechanism
This is instruction-only with no install spec. The SKILL.md suggests an optional 'pip install adata' for extra features. Installing a third-party PyPI package is expected for that functionality but carries normal supply-chain/network risk; the skill itself does not force installation.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The only optional runtime configuration is an adata proxy setting (user-supplied), which is proportional to using a network proxy for the SDK.
Persistence & Privilege
The skill does not request always-on inclusion or any elevated agent privileges; default autonomous invocation is allowed (platform default). There are no instructions to modify other skills or system-wide settings.
Assessment
This skill appears coherent and limited to querying public Tencent Finance endpoints and optionally using the adata Python package. Before installing/using: (1) if you choose the optional adata package, verify its PyPI project page, maintainers, and version — installing arbitrary pip packages carries supply-chain risk; consider installing in a virtualenv or sandbox; (2) the Tencent endpoints return GBK-encoded text and have rate limits—decode responses and batch requests to avoid throttling; (3) no credentials are required, so do not provide secrets; (4) if you need guaranteed accuracy or latency for trading decisions, verify data delay/legal/licensing terms with the data provider. Overall this skill is internally consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk9785xkj6xse617w3qbqpbstpn820prd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments