ClawHub

QuantOracle

v2.1.0

63 deterministic quantitative finance calculations via MCP. Options pricing, Greeks, implied volatility, exotic derivatives, risk metrics, portfolio optimiza...

0· 58·0 current·0 all-time
by@fel123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description promise (63 quant tools via MCP) is implemented by the included Node code which exposes an MCP server built from an OpenAPI spec; declared required binary (node) and dependencies (@modelcontextprotocol/sdk, express) are consistent with that purpose.
Instruction Scope
SKILL.md tells agents to run `npx quantoracle-mcp` or connect to a remote MCP URL. The code implements an MCP server that fetches an OpenAPI spec from BACKEND_URL and exposes tool endpoints; the instructions do not ask the agent to read unrelated local files or secrets. However, SKILL.md and config-schema reference remote endpoints (mcp.quantoracle.dev / api.quantoracle.dev) while the code defaults BACKEND_URL to http://localhost:8001 — this mismatch could cause different runtime behavior depending on environment variables.
Install Mechanism
There is no high-risk remote download; sources are present in the package (package.json, dist/, src/). Dependencies are standard npm packages. No URL-shortener or extract-from-untrusted-URL install steps were found.
Credentials
The skill declares no required env vars but the code reads optional env vars (BACKEND_URL, PORT, FREE_DAILY_LIMIT, WALLET_ADDRESS). Those are plausible for configuring a service but the registry metadata does not document them; names and defaults also conflict with config-schema.json (which uses daily_limit/backend_url keys). A default WALLET_ADDRESS is present (likely for payment routing) — not a secret, but worth noting if you expect no crypto interaction.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system-wide privileges. It runs a local MCP server and keeps in-memory rate counters; nothing in the package attempts to modify other skills or system-wide agent settings.
Assessment
This package appears to implement what it claims (an MCP server that maps an OpenAPI spec to 63 deterministic finance tools). Before installing or running: 1) Note the BACKEND_URL/port configuration — if you do not set BACKEND_URL, the code defaults to http://localhost:8001 (but SKILL.md/config mention api.quantoracle.dev / mcp.quantoracle.dev). That means the server you contact for tool definitions can change behavior based on your environment; review and set BACKEND_URL explicitly. 2) The code fetches openapi.json from BACKEND_URL at runtime; that remote API defines the tool schemas and endpoints — you should inspect that backend (or self-host it) if you need to ensure the tool definitions are safe and do not exfiltrate data. 3) A default WALLET_ADDRESS is baked into the code (likely for payments); it's not a secret but check it if you expect different billing behavior. 4) Run in an isolated/test environment first or override BACKEND_URL to a self-hosted backend if you need full network control. If you want, provide the fetched openapi.json or the truncated remainder of src/dist files and I can review the request/response handling and any forwarding/proxying logic in more detail.
dist/index.js:7
Environment variable access combined with network send.
src/index.ts:14
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

cryptovk97a31gc08hry1v3xfvydpg3h5849yw2defivk97a31gc08hry1v3xfvydpg3h5849yw2derivativesvk97a31gc08hry1v3xfvydpg3h5849yw2financevk97a31gc08hry1v3xfvydpg3h5849yw2latestvk97a31gc08hry1v3xfvydpg3h5849yw2mcpvk97a31gc08hry1v3xfvydpg3h5849yw2optionsvk97a31gc08hry1v3xfvydpg3h5849yw2portfoliovk97a31gc08hry1v3xfvydpg3h5849yw2quantvk97a31gc08hry1v3xfvydpg3h5849yw2riskvk97a31gc08hry1v3xfvydpg3h5849yw2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binsnode

Comments