ClawHub
Back to skill
v1.0.0

Tecent Finance 1.0.0

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:39 AM.

Analysis

The skill is a simple stock-quote CLI description with no credentials or destructive behavior shown, but its runnable CLI is not included in the reviewed artifacts.

GuidanceThis appears benign as documentation for a stock-price CLI, but verify the actual tfin executable before running chmod, symlinking it into /usr/local/bin, or installing dependencies. Use a virtual environment for Python packages and do not substitute unreviewed code from unknown sources.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
chmod +x /path/to/skills/tencent-finance/tfin
ln -sf /path/to/skills/tencent-finance/tfin /usr/local/bin/tfin

The documentation references a local executable named tfin, but the supplied manifest contains only SKILL.md and _meta.json. This creates a packaging/provenance gap for the runnable component, though the setup is user-directed and aligned with the stated CLI purpose.

User impactThe skill may not work as packaged, and users should avoid obtaining or running a replacement tfin executable from an untrusted source.
RecommendationInstall only if the actual tfin executable or source code is provided from a trusted source and can be reviewed before making it executable or adding it to the global PATH.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
pip3 install requests rich

The skill documents third-party Python package installation, but the registry requirements/install spec do not declare these dependencies. This is a minor under-declaration rather than suspicious behavior because the dependencies are plausible for a Python CLI and the command is shown as a manual setup step.

User impactInstalling dependencies changes the local Python environment and depends on packages resolved from the package index.
RecommendationUse a virtual environment and standard package hygiene before installing the documented dependencies.