xhcj-finance
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a read-only finance data CLI, but users should notice that it uses a supplied API key and installs npm dependencies.
This skill is coherent with its stated read-only finance-query purpose. Before installing, make sure you trust the package source and the Xinhua/CNFIN API endpoint, and only provide an API key you are comfortable using for this service.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide an API key, the tool can authenticate requests to the finance data service on your behalf.
The CLI sends a key-derived bearer credential to the remote finance API. This is expected for an authenticated finance-data query tool, but the user should treat the API key and derived token as sensitive.
config.headers.Authorization = `Bearer ${secureApiKey}`;Use a dedicated API key with the minimum needed access, avoid pasting real keys into shared chats or logs, and rotate the key if it may have been exposed.
Installing the tool may fetch dependency versions that were not exactly the ones reviewed here.
The npm dependencies use caret version ranges, so installation may resolve to newer compatible versions. This is common for npm projects, but it means users depend on the npm supply chain at install time.
"dependencies": { "axios": "^1.13.6", "commander": "^14.0.3" }Install from a trusted source and consider using a lockfile or pinned dependency versions for more reproducible installs.