ClawHub

Tecent Finance 1.0.0

v1.0.0

Get stock prices, quotes, and compare stocks using Tencent Finance API. No API key required. Supports US stocks, China A-Shares, Hong Kong stocks. Optimized for use in mainland China.

0· 679·3 current·3 all-time
by@squally2k·duplicate of @sunerw-dev/tecent-finance-1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a 'tfin' CLI for Tencent Finance and gives commands to make /path/to/skills/tencent-finance/tfin executable and to symlink it into /usr/local/bin. However, the skill bundle contains no code files or executable named 'tfin'. That mismatch means the instructions expect an artifact that is not provided by the skill package.
!
Instruction Scope
Runtime instructions instruct the user/agent to run chmod and ln -sf to create a system-wide executable and to pip-install dependencies. They reference system paths (/usr/local/bin) and require filesystem modification privileges. The instructions do not tell where to obtain the 'tfin' executable, leaving open the possibility of downloading or creating an unchecked binary — a scope gap that could lead to executing arbitrary code.
Install Mechanism
There is no formal install spec (lowest risk in itself). But the README's manual install steps assume an included executable; because none is present, a user might fetch the binary from an external source not described here. The package itself does not perform any downloads, but the missing artifact is an installation incoherence to be aware of.
Credentials
The skill does not request environment variables, credentials, or config paths. It only lists Python runtime dependencies (requests, rich), which are proportionate to a CLI that calls a public finance API.
Persistence & Privilege
The skill is not marked always:true and does not demand autonomous privileges. However, the install instructions encourage placing an executable in /usr/local/bin (system-wide) which requires elevated privileges; the package does not include the artifact, increasing the chance a user may manually install an arbitrary binary with elevated rights.
What to consider before installing
This SKILL.md claims a 'tfin' CLI but the package contains no code or executable. Do not run the suggested chmod/ln commands or download/install an executable unless you can verify its source. Recommended steps before installing or using this skill: - Ask the publisher for the full source code or the tfin script; do not execute binaries from unknown sources. - If they provide a script, review its contents (or run it in a sandbox) to verify it only makes HTTP calls to Tencent Finance endpoints and does not exfiltrate data or execute other system commands. - Avoid symlinking into /usr/local/bin or running installs as root until you trust the artifact; prefer running the tool from a confined environment (virtualenv, container, or non-privileged user). - Note the metadata inconsistencies (ownerId and slug/name variations and spelling errors). These could be benign typos but warrant asking the author to clarify provenance. If you can't get a verifiable script/source, treat this skill as untrusted and choose a well-known alternative (e.g., a published PyPI package or a verified GitHub repo) instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799mp44mr7qwr9hfs8jjskks812rbv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments