Finam
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a coherent Finam trading API helper, but it is review-worthy because it can use live brokerage credentials and documents placing or canceling real orders without visible safety guardrails.
Install only if you intend to let an agent work with a Finam brokerage account. Treat it as capable of live trading: use least-privilege or read-only credentials where possible, require explicit approval for every order or cancellation, and avoid following optional unpinned install commands without review.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent mistake, ambiguous prompt, or prompt-injection-like instruction could result in real trades or canceled orders, potentially causing financial loss.
The skill documentation includes raw API calls for placing and canceling brokerage orders, which can directly affect a live trading account. The provided artifacts do not show mandatory user confirmation or risk limits around these high-impact mutations.
### PlaceOrder — выставить заявку ... fp_provider.orders_stub.PlaceOrder ... quantity=Decimal(value='10') ... type=OrderType.ORDER_TYPE_MARKET ... ### CancelOrder — отменить заявку
Only use this with explicit per-order approval. Require the agent to restate account, symbol, side, quantity, order type, price, and estimated value before any PlaceOrder or CancelOrder call; prefer read-only or least-privilege API keys when possible.
The agent may be able to view account details and, depending on key permissions, perform trading actions on the linked account.
The required credentials are disclosed and purpose-aligned for Finam API use, but they identify and authorize access to a brokerage account.
**Prerequisites:** `$FINAM_API_KEY` and `$FINAM_ACCOUNT_ID` must be already set in your environment.
Use the narrowest available Finam token permissions, avoid sharing the environment with unrelated tools, rotate/revoke the key when done, and use a separate low-risk account if possible.
If the user follows this optional install instruction, they may run third-party code that can change over time.
The reference documentation suggests installing a package directly from an unpinned GitHub repository. It is not shown as an automatic install step, but it is still a provenance and reproducibility consideration.
pip install git+https://github.com/cia76/FinamPy.git
If using FinamPy, pin a specific commit or release, review the package source, and install it in an isolated environment.