ClawHub
Back to skill
v1.0.0

Tecent Finance 1

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:36 AM.

Analysis

This appears to be a benign stock-price helper, but the reviewed package only contains documentation and has some provenance/setup ambiguity.

GuidanceBefore installing, verify the actual tfin executable/source and publisher because the reviewed package only includes documentation. If you use it, expect stock symbols you query to be sent to Tencent Finance, and only create the optional global command if you trust the executable.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
chmod +x /path/to/skills/tencent-finance/tfin
ln -sf /path/to/skills/tencent-finance/tfin /usr/local/bin/tfin  # Optional: global access
...
pip3 install requests rich

The documentation expects a local tfin executable and Python package installation, while the supplied artifacts contain only SKILL.md and _meta.json with no included CLI source or install spec.

User impactA user may try to install or globally expose a command whose implementation is not present in the reviewed package.
RecommendationOnly run the setup commands if you can inspect the actual tfin executable/source from a trusted location; avoid the global symlink unless you need it.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
_meta.json
"ownerId": "kn71fmgr8vvghtwcjamnp2fmrx80rqh9",
  "slug": "tecent-finance"

The embedded metadata does not match the supplied registry owner/slug values, creating minor provenance ambiguity even though no unsafe behavior is shown.

User impactIt may be harder to confirm that the package identity and registry listing refer to the same intended artifact.
RecommendationConfirm the publisher and package identity before installing, especially because no homepage or source repository is provided.