Is lsj210001/finnhub-pro safe?
https://github.com/openclaw/skills/tree/main/skills/lsj210001/finnhub-pro
The finnhub-pro skill is a straightforward, read-only Python CLI tool for retrieving financial data from the Finnhub public API. No prompt injection attempts, malicious code, credential theft mechanisms, or suspicious network behavior were detected. The primary concerns are operational rather than security: hardcoded absolute paths referencing the original author's macOS home directory (/Users/dtbllsj/) make the skill non-functional on any other machine as-written, and the placeholder API key requires the user to supply their own Finnhub credentials before use.
Category Scores
Findings (6)
MEDIUM Hardcoded Author-Specific Absolute Paths in SKILL.md -18 ▶
SKILL.md instructs agents to invoke the script via paths anchored to the original author's macOS home directory: /Users/dtbllsj/.openclaw/workspace/skills/finnhub/scripts/finnhub_cli.py and /Users/dtbllsj/.pyenv/versions/3.12.12/bin/python3. On any other machine these paths do not exist. An agent following the SKILL.md instructions verbatim will either fail to execute the script or attempt to execute a file at a non-existent path. This is a significant usability defect indicating the skill was not generalized before publication, but it is not an intentional injection attack.
LOW Placeholder API Key — Skill Non-Functional Without User Configuration -18 ▶
Both SKILL.md and finnhub_cli.py use the literal string 'YOUR_FINNHUB_API_KEY' as the Finnhub API key. The Python script reads the key from the environment variable FINNHUB_API_KEY with this string as the fallback default. Without a real key all API calls will receive 401/403 errors. When a user substitutes a real key, all queried stock symbols and date ranges become visible to Finnhub's servers and are subject to Finnhub's data retention and logging policies.
LOW Unmanaged Python Package Dependency (finnhub-python) -12 ▶
The script imports the finnhub package at the top level and emits a user-facing error message if it is absent, then exits. There is no automated installation mechanism (no requirements.txt, no setup.py, no pip invocation). The dependency must be manually satisfied by the user or the agent environment before the skill can function. An agent that encounters the ImportError may be confused about the failure mode.
LOW All Financial Queries Transmitted to Third-Party Finnhub API -20 ▶
Every command (quote, profile, news, insiders, earnings, financials, peers, search) results in HTTPS requests to Finnhub's servers carrying the user's API key and the queried stock symbol or search term. Finnhub is a legitimate commercial API provider, but users should understand that their research activity is logged by a third party. In combination with a portfolio or trading skill, this could expose a user's investment interests externally.
INFO Clean Installation — Only Expected GitHub Network Activity 0 ▶
The install process cloned the openclaw/skills monorepo from GitHub (140.82.121.4:443), performed a sparse-checkout for the lsj210001/finnhub-pro subdirectory, and copied the three skill files to the target directory. No unexpected outbound connections, no DNS queries to non-GitHub hosts attributable to the install, no background processes spawned, and no filesystem changes outside the skill directory.
INFO Canary Files Read by Monitoring Infrastructure — Content Intact -8 ▶
Honeypot credential files were opened and read at two points during the monitoring window. The first read (timestamp 1771926701, before any install activity) and the second read (timestamp 1771926724, after install completion) are both consistent with Oathe monitoring infrastructure performing pre/post baseline reads. No Python process was executing during either access window, ruling out skill-initiated reads. Canary content was not modified and no exfiltration network traffic was correlated with these reads.