ClawHub

Tecent Finance 1

v1.0.0

Get stock prices, quotes, and compare stocks using Tencent Finance API. No API key required. Supports US stocks, China A-Shares, Hong Kong stocks. Optimized for use in mainland China.

0· 889·0 current·0 all-time
by@sunerw-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a 'tfin' Python CLI that fetches Tencent Finance data and even gives install/symlink instructions, but the skill bundle contains no code or binary. That means the declared capability (a CLI bundled in the skill) is not actually present. The overall purpose (fetching stock prices) is plausible, but the package's contents do not match the claimed capability.
Instruction Scope
Instructions are narrowly scoped to fetching finance data and to installing dependencies (requests, rich) and running the 'tfin' command. They do not request unrelated files or credentials. However, the instructions instruct filesystem actions (chmod and creating a symlink to /usr/local/bin) referencing a path inside the skill (/path/to/skills/tencent-finance/tfin) that does not exist in the bundle — an incoherence that could cause users to run commands on unknown binaries if they obtain them elsewhere.
!
Install Mechanism
There is no install spec (instruction-only), which is low-risk in itself, but SKILL.md tells users to chmod and symlink a binary into /usr/local/bin. That implies writing to a system-wide location (requires elevated privileges) yet no code or trusted download/source is provided. Directing users to place an executable into system paths without supplying or verifying it is a suspicious practice.
Credentials
The skill requests no environment variables, credentials, or config paths. The declared environment needs (requests, rich, Python 3.7+) are proportionate to a small CLI that queries a public API.
Persistence & Privilege
The skill does not request persistent presence (always:false) and makes no claims of modifying other skills or system-wide agent settings. It is user-invocable only, which is appropriate for this functionality.
What to consider before installing
Do not run the chmod/ln commands or try to install a 'tfin' binary from unknown sources. This skill's README claims a bundled CLI, but the package contains no executable or source code and the metadata owner id is inconsistent — both are red flags. If you want to use this safely, ask the publisher for the upstream repository or a signed release (GitHub release or official project site), inspect the tfin source code, or obtain the binary from a trusted distro. If the author explains that this SKILL.md is only usage docs for an externally provided tool, confirm where that tool comes from and verify its integrity before creating symlinks under /usr/local/bin. Additional information that would change this assessment: included source code or a verified download URL, matching owner metadata, or a known homepage/repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bcdg5z2tbmdx4620z50r9sd810x1s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments