Back to skill
Skillv0.1.0
ClawScan security
Mx Stocks Screener · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 1:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment variable (EM_API_KEY) are consistent with a natural‑language stock/fund screener that calls EastMoney's MCP API and writes CSV outputs; nothing obviously unrelated or excessive is requested or installed.
- Guidance
- This skill appears coherent with its stated purpose, but before installing: (1) confirm the EM_API_KEY you provide is from a trusted EastMoney account and check its permissions, expiry, and revocation options; (2) avoid pasting the key into prompts or logs — keep it in environment variables only; (3) run the script in an isolated or controlled environment if you are unsure (it makes network requests to EastMoney and writes CSVs to disk); (4) if you need extra assurance, inspect the remainder of scripts/get_data.py (and any future updates) to verify no additional network endpoints or file accesses are added.
Review Dimensions
- Purpose & Capability
- okThe name/description (natural‑language screener using 东财/MCP) matches what the package requests and does: it requires an EM_API_KEY, uses httpx to call an EastMoney MCP endpoint (ai-saas.eastmoney.com/proxy/…), and converts results to CSV and a description file. No unrelated cloud credentials or unrelated binaries are requested.
- Instruction Scope
- okSKILL.md and the provided script stay within scope: they instruct setting EM_API_KEY, installing httpx, and running scripts/get_data.py which queries the MCP endpoint and writes CSV/description files. The instructions do not ask the agent to read arbitrary system files or exfiltrate other secrets.
- Install Mechanism
- okThere is no heavyweight install spec; only a simple dependency (httpx) is suggested via pip. No downloads from unknown URLs, no archive extraction, and no creation of unexpected system binaries.
- Credentials
- okOnly one required environment variable (EM_API_KEY) is declared and used, which is proportionate for a service that authenticates to EastMoney's API. The SKILL.md also documents an optional MX_STOCKS_SCREENER_OUTPUT_DIR for output files; this is reasonable. There are no unrelated SECRET/TOKEN variables requested.
- Persistence & Privilege
- okThe skill does not request always: true and does not modify other skills or system settings. It runs on demand and writes outputs only to its own output directory.