Intelligent Stocks Screener
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mx-stocks-screener Version: 1.0.15 The skill is a legitimate financial data screener that interfaces with the Eastmoney (东方财富) API to filter stocks, funds, and bonds using natural language. It uses the `EM_API_KEY` environment variable to authenticate requests to `ai-saas.eastmoney.com` and processes the returned data into local CSV files. The implementation in `scripts/get_data.py` is transparent, lacks any malicious execution or exfiltration logic, and the `SKILL.md` instructions are strictly aligned with the tool's functional purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Eastmoney API credential, which may affect that account's access, quota, or billing depending on the provider terms.
The script reads an Eastmoney API key from the environment for authenticated provider access. This is expected for the stated integration and the visible artifacts do not show hardcoding or logging of the key.
EM_API_KEY = os.environ.get("EM_API_KEY", "")Use a revocable, least-privileged API key where possible, keep it out of prompts and logs, and rotate it if it may have been exposed.
Investment screening criteria, strategy ideas, or portfolio-related text entered into the query may be shared with the external provider.
The code sends the user's natural-language screening query and selected asset type to a remote Eastmoney endpoint, which is aligned with the skill's stated purpose.
MCP_URL = "https://ai-saas.eastmoney.com/proxy/b/mcp/tool/selectSecurity" ... {"query": query, "selectType": selectType}Avoid including confidential client, portfolio, or trading-strategy details unless sharing them with the provider is acceptable under your privacy and compliance requirements.
In controlled environments, installing the latest dependency version can reduce reproducibility and slightly increase supply-chain exposure.
The skill documents installing the public Python package httpx without a pinned version. This is a normal dependency for HTTP API access, but unpinned installs depend on package resolution at install time.
"kind": "python", "package": "httpx" ... pip3 install httpx --user
If installing in a sensitive environment, pin and review the dependency version through your normal package-management process.