Finnhub Pro
v1.1.0Finnhub 美股金融数据 CLI。实时报价、公司档案、新闻、分析师推荐、内部人交易、盈利日历、基本面财务、同行比较。Python 脚本封装,免费层 60 次/分钟。Use when: 查股价、查公司信息、看最新新闻、了解内部人是否在买卖、查看近期财报日期。NOT for: K线数据、目标价、情绪分析(需付费层)。
⭐ 5· 4k·44 current·46 all-time
bydtbllsj@lsj210001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the code and instructions: a Finnhub CLI that uses the finnhub-python client to fetch quotes, news, insiders, earnings, etc. However, the registry metadata lists no required environment variables while both SKILL.md and scripts/finnhub_cli.py require FINNHUB_API_KEY. That discrepancy is unexpected and should have been declared in metadata.
Instruction Scope
Runtime instructions are narrowly scoped to installing finnhub-python, providing FINNHUB_API_KEY (env or ~/.openclaw/.env), and running the included script commands. The SKILL.md does not direct the agent to read unrelated files or exfiltrate data to third-party endpoints beyond Finnhub. It does advise storing the API key in ~/.openclaw/.env, which is a local configuration file for the agent.
Install Mechanism
No install spec is bundled (instruction-only install). The SKILL.md simply recommends pip install finnhub-python — a normal, low-risk dependency pull from PyPI. No downloads from arbitrary URLs or archive extraction are present.
Credentials
The script and SKILL.md require a single credential (FINNHUB_API_KEY) which is appropriate for the stated purpose, but the skill registry metadata does not declare this required env var. Additionally, SKILL.md suggests storing the key in ~/.openclaw/.env — storing secrets in a file may be convenient but could increase exposure if that file is accessible by other processes or backed up. The mismatch between declared requirements and actual requirements is the main issue.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It only suggests writing an API key to the agent's config directory (user action), which is within normal behavior for a CLI-style skill.
What to consider before installing
This skill looks like a straightforward Finnhub CLI and the code calls only the official finnhub client. Before installing: (1) be aware the skill requires FINNHUB_API_KEY even though the registry metadata omits it — set that env var or the key won’t work; (2) avoid placing your API key in shared or world-readable files (if you do use ~/.openclaw/.env, ensure its file permissions restrict access); (3) confirm you trust the skill owner, since the script will send your API key to finnhub.io as intended; (4) verify the included scripts are exactly what you expect (they appear to only call the Finnhub API and print results); and (5) consider updating the skill metadata to declare FINNHUB_API_KEY so the requirement is explicit. If you want higher assurance, request that the publisher add the API key requirement to the registry metadata and confirm no other hidden network endpoints exist.Like a lobster shell, security has layers — review code before you run it.
latestvk97131qaqfgz1mqnw1ccst1hfh82hkcw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.