Financial Search Engine
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: mx-finance-search Version: 1.0.9 The mx-finance-search skill is a legitimate tool for retrieving financial news and reports via the Eastmoney (东方财富) API. The script `scripts/get_data.py` uses standard libraries to perform authenticated POST requests to a verified domain (ai-saas.eastmoney.com) and saves the results locally as described. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Eastmoney API key may authorize usage or quota on that service.
The script reads an API key from the environment and sends it as an authentication header to the financial data provider. This is purpose-aligned, but it is still credential use.
EM_API_KEY = os.environ.get("EM_API_KEY", "") ... "em_api_key": api_keyUse a scoped, revocable API key if available, keep it out of shared logs and prompts, and revoke it if you suspect exposure.
Any confidential company, portfolio, or strategy details included in a query may be sent to the external provider.
The user's natural-language financial query is posted to a remote Eastmoney MCP-like tool endpoint. This is central to the skill, but query text leaves the local environment.
MCP_URL = "https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchNews" ... payload = {"query": query, "toolContext": _load_optional_tool_context()}Avoid putting non-public or highly sensitive financial information in queries unless you trust the provider and its terms.
Retrieved financial content may remain on disk after the search finishes.
Search results are written to a local text file by default. The path is scoped and the SKILL.md documents the --no-save option, so this is a notice rather than a concern.
DEFAULT_OUTPUT_DIR = Path.cwd() / "miaoxiang" / "mx_finance_search" ... output_path.write_text(content, encoding="utf-8")
Use --no-save when you do not want local files, and clean up the output directory if results should not persist.