ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

stock

v1.0.0

基于东方财富权威数据库,提供股票选股、行情、财务及关联关系等金融数据的智能查询与筛选服务。

0· 68·0 current·0 all-time
by@jade-srgb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the included docs all describe a financial-data/search skill calling an external API (mkapi2.dfcfs.com) for stock data, screening, and news; the requested functionality aligns with the stated purpose.
!
Instruction Scope
The runtime instructions instruct the agent to read the MX_APIKEY environment variable (and fall back to a provided default key if absent) and to POST queries to mkapi2.dfcfs.com. The skill also asks the agent to output full CSVs of returned data. The instructions reference an env var that is not declared in the metadata and give broad discretion about exporting large result sets, which increases risk of unintended data exposure or large outputs.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk and no third-party packages are installed — lowest install risk.
!
Credentials
SKILL.md requires/use of an API key (MX_APIKEY) and even provides a default API key, but the registry lists no required env vars or primary credential. The presence of an embedded default key is unexpected and may enable calls without a user-owned credential; the metadata should declare MX_APIKEY if it's required.
Persistence & Privilege
The skill does not request always:true and does not modify system/other-skills config. Agent autonomous invocation is allowed (default) but not combined with other high-privilege requests.
What to consider before installing
This skill appears to do what it claims (query/search financial data via an external API). However: (1) the SKILL.md expects an environment variable MX_APIKEY but the registry metadata does not declare it — ask the publisher to declare required env vars explicitly; (2) the SKILL.md embeds a default API key — avoid relying on shared keys and replace it with your own API key stored in a private environment variable if you use this skill; (3) the skill will make network calls to mkapi2.dfcfs.com — verify that domain and the service are legitimate and acceptable for your data/privacy requirements; (4) the skill asks to output full CSVs of returned data — beware of exporting large or sensitive datasets. If you want to proceed, request the publisher to (a) add MX_APIKEY to the declared required env vars, (b) remove any embedded default secret from public docs or confirm it is a harmless demo key, and (c) clarify data retention, rate limits, and what the external API logs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9759gk33bneaffapmr7fnzy5d83en0c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments