Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mx Select Stock
v1.0.4基于东方财富数据库的智能选股工具,支持按行情指标、财务指标等条件筛选股票。
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to query 东方财富/妙想 stock-screen data and the Python client posts to a matching backend (https://mkapi2.dfcfs.com/finskillshub/api/claw/stock-screen) using an API key — this is coherent with the stated purpose. However the package registry metadata presented earlier lists no required environment variables while SKILL.md and the code require MX_APIKEY; also _meta.json contains a different ownerId/slug than the registry metadata, which is inconsistent and unexplained.
Instruction Scope
Runtime instructions and the script are narrowly scoped: they require an MX_APIKEY, make a single POST to the stated BASE_URL, parse the JSON/Markdown results, and write CSV/description/JSON files into /root/.openclaw/workspace/mx_data/output/. The skill does not access other system credentials or external endpoints beyond the stated API.
Install Mechanism
There is no install spec (instruction-only style) but a Python file is included which imports requests. The skill does not declare dependencies (requests) in metadata, so a runtime may fail or need to install third-party packages. No downloaded arbitrary binaries or external installers are present.
Credentials
The code legitimately requires a single API key (MX_APIKEY) to operate. However the registry metadata earlier reported 'Required env vars: none' while SKILL.md and the code require MX_APIKEY — this mismatch is a red flag. The skill writes output into a fixed workspace path under /root/.openclaw but does not request unrelated secrets. Confirming the true required env vars and the publisher identity is advisable before providing credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and only writes files to its own workspace directory. Autonomous invocation is enabled by default (normal) but not combined with other elevated privileges.
What to consider before installing
This skill's behavior (POST to mkapi2.dfcfs.com, requiring MX_APIKEY, writing CSV/JSON under /root/.openclaw) is consistent with a stock-screening tool, but the package metadata has inconsistencies you should resolve before trusting it. Ask the publisher to: (1) confirm the required environment variable MX_APIKEY is intentionally required and update the registry metadata to list it, (2) explain the ownerId/slug mismatch between registry and _meta.json, and (3) provide dependency information (requests) or an install spec. Only set an API key you trust for this service (avoid reusing high-privilege keys), and verify the backend domain (mkapi2.dfcfs.com) is the official endpoint. If you cannot verify the publisher or metadata, do not provide secrets and consider running the script in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97bzhjvs37gznq1myxna546k183s6nz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.