Back to skill
Skillv0.1.0
ClawScan security
Mx Finance Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 1:24 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it requires a single EM_API_KEY to call EastMoney's search endpoint, runs a small Python client that posts queries and optionally writes readable results to disk, and does not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears coherent and limited to EastMoney search calls, but before installing: 1) verify you obtained EM_API_KEY from the official EastMoney/MxClaw service and that the key can be revoked/rotated; 2) avoid embedding the key in code or logs; use environment variables as instructed; 3) be aware results are saved by default under the skill's workspace (miaoxiang/mx_finance_search)—sensitive content may be persisted; 4) run the script in an isolated environment or with network egress controls if you require stricter data handling; 5) if you need higher assurance, review the bundled scripts locally (they are small) and confirm the MCP endpoint (https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchNews) matches your expectation.
Review Dimensions
- Purpose & Capability
- okThe name/description (financial news/search) align with the code and SKILL.md. The only required secret is EM_API_KEY, which is exactly what a service-backed financial search client would need. The code constructs requests to an EastMoney MCP URL and returns/extracts content as documented.
- Instruction Scope
- okSKILL.md and the Python script limit actions to: read EM_API_KEY, accept a query, call the EastMoney search API, extract text, and optionally save results to a local .txt file. There are no instructions to read unrelated local files, exfiltrate other data, or call unexplained external endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only with one bundled Python script). That is low-risk: nothing is downloaded or injected at install time. The runtime requires a Python environment but installs nothing automatically.
- Credentials
- okOnly EM_API_KEY is required and is used for the documented API call. No other credentials, keys, or config paths are requested. The secret's use is justified by the skill's purpose.
- Persistence & Privilege
- okalways is false (no forced inclusion). The code writes output only to its own default output directory (miaoxiang/mx_finance_search) when saving is enabled; it does not modify other skills or system-wide agent settings.