Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the implementation: the script queries Sina Finance for A/H market data and Yahoo Finance (via yfinance) for US markets, commodities, indices and FX. Declared required binary (python3) and optional dependency (yfinance) are appropriate for this purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run the included Python script from the skill workspace path — that matches the provided files. The script performs network requests to expected external services (hq.sinajs.cn for Sina and Yahoo via yfinance). Note: the Sina request uses plain HTTP (http://hq.sinajs.cn/list=...), which is unencrypted and susceptible to MITM/tampering; this is a security/privacy consideration but not incoherent with the skill's stated purpose.
Install Mechanism
There is no automated install spec; SKILL.md suggests 'pip3 install yfinance' which is a standard, minimal dependency. No downloads from arbitrary URLs or archive extraction were specified. The skill is instruction-only in the registry but includes code files — that's consistent (script is executed directly).
Credentials
The skill requires no environment variables or secret credentials. It does not request access to unrelated services. The only external dependency is the public yfinance package (pip), which requires network access to fetch but no secrets.
Persistence & Privilege
Flags show always:false and model invocation enabled (normal). The skill does not request persistent system-wide privileges or modify other skills. It runs as a script in the skill workspace and doesn't declare any elevated or persistent privileges.
Assessment
This skill appears to do what it says: fetch realtime quotes from Sina (A/H) and Yahoo (US/commodities/FX). Before installing, consider: 1) The script makes network requests to public endpoints (Sina and Yahoo); allow network only if you trust those services. 2) The Sina call uses HTTP (not HTTPS), so responses could be tampered with on a hostile network — avoid using on untrusted networks or prefer HTTPS if you modify the script. 3) yfinance is installed via pip — verify you trust the package source and consider installing in a virtualenv. 4) The skill source/homepage is unknown; if you need stronger assurance, review the full realtime_finance.py file yourself (or run it in a sandbox) to confirm there are no unexpected network endpoints or logging/exfiltration steps. If you are satisfied, the requested permissions and behavior are proportionate for a finance-quote tool.Like a lobster shell, security has layers — review code before you run it.
chinavk970ccm3q8hcy9hn2knnc2ad7184075wfinancevk970ccm3q8hcy9hn2knnc2ad7184075wlatestvk970ccm3q8hcy9hn2knnc2ad7184075wmarketvk970ccm3q8hcy9hn2knnc2ad7184075wstocksvk970ccm3q8hcy9hn2knnc2ad7184075w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Binspython3