ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock

v1.0.3

Retrieve real-time stock data including price, change, volume, and turnover for A-share, Hong Kong, and US markets via Sina Finance.

0· 217·0 current·0 all-time
by@asterisk622
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and SKILL.md claim support for A-share, Hong Kong, and US markets and show examples like AAPL/MSFT (US). The runtime code (bin/stock.js) only accepts 6-digit numeric symbols for A-shares and 5-digit numeric symbols for Hong Kong; it explicitly rejects non-numeric tickers and therefore does not support US tickers as claimed. Other than that mismatch, the code's use of Sina Finance (hq.sinajs.cn) is consistent with the stated A/HK purpose.
!
Instruction Scope
SKILL.md instructs users to call the 'stock' CLI with examples including US tickers; the instructions therefore promise behavior the code cannot perform. The runtime instructions do not reference system files, extra env vars, or unexpected endpoints — network activity is limited to https://hq.sinajs.cn with a Referer header.
Install Mechanism
No install spec is provided and the package is a simple Node CLI using only built-in 'https'. Nothing is downloaded from untrusted URLs or written to uncommon locations.
Credentials
The skill requests no environment variables, no credentials, and no config paths — there are no secret or privileged requirements beyond normal network egress.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not modify other skills or system-wide settings and does not request persistent privileges.
What to consider before installing
This skill appears safe to run from a permissions standpoint (no secrets requested, only outgoing HTTPS to Sina), but it misrepresents functionality: despite examples and description claiming US-market support (AAPL, MSFT), the bundled CLI only accepts numeric A-share (6 digits) and Hong Kong (5 digits) tickers and will reject letter-based US symbols. If you need US stocks, do not rely on this skill. If you want to proceed: (1) test it locally with numeric A/HK tickers to confirm behavior, (2) avoid providing any extra credentials (none are required), and (3) request or inspect an updated version from the author if US support is required. If you are unsure, consider installing in a controlled environment or asking the maintainer to fix the documentation/examples to match the implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk977e8d4w01vre8dyfzebkq0b584ez80

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments