ClawHub
Back to skill
v1.0.0

stock

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:06 AM.

Analysis

The skill is coherent for read-only stock and financial data lookup, but it embeds a default API key and tells the agent to use it if no user key is configured.

GuidanceReview before installing. The financial data functionality appears purpose-aligned and read-only, but you should not rely on the embedded API key. Verify the publisher and provider, configure your own scoped MX_APIKEY only if you trust the service, and avoid sending confidential investment or business information in queries.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The skill has no executable install path, but its publisher/source provenance is limited while it routes requests to an external financial API.

User impactUsers have less context for verifying the maintainer, official provider relationship, or origin of the embedded API key.
RecommendationVerify the publisher and service relationship before relying on the integration, especially before configuring a personal API key.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
如果没有,请在调用时使用默认的示例apikey: mkt_ViJH0AwP4...;默认API Key: `mkt_ViJH0AwP4...`

The artifact includes a concrete API key value and instructs the agent to use it as a fallback. The registry metadata declares no primary credential and no env var declarations, so this credential use is not clearly bounded or declared.

User impactThe agent may call the external finance API under a shared or unknown credential, creating attribution, quota, revocation, and unauthorized-use concerns.
RecommendationRemove the embedded key, declare MX_APIKEY as the credential, require users to provide their own scoped key, and document the key scope, owner, and rotation process.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
mx_search.md
curl -X POST --location 'https://mkapi2.dfcfs.com/finskillshub/api/claw/news-search' ... --data '{"query":"查询内容"}'

The skill sends user-provided financial queries to an external API endpoint. This is aligned with the skill's purpose, but users should know their query text leaves the agent environment.

User impactFinancial search terms, screening conditions, or investment-related questions may be shared with the external service.
RecommendationUse the skill only for queries you are comfortable sending to the provider, and avoid including confidential trading strategies or nonpublic business information.