Mfapi
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to be a straightforward public mutual-fund data lookup tool, with disclosed API calls and a small local cache but no credentials or account-changing actions.
This looks safe to install for public mutual-fund NAV lookups. Be aware that it contacts api.mfapi.in, may require python3 for the ISIN helper, and keeps a temporary public scheme-list cache in /tmp that you can delete if needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The ISIN helper may not work unless python3 is available, even though python3 is not listed in the required binaries.
The declared binary requirements cover curl and jq, while the documented helper workflow also depends on python3. The helper code is included and uses only the Python standard library, so this is a transparency/setup note rather than a security concern.
"requires": { "bins": ["jq", "curl"] } ... python3 scripts/get_nav.py INF200K01UT4Ensure python3 is present before using the helper script, or rely on the documented curl/jq API examples.
Fund searches, scheme-code lookups, or latest-NAV requests may be sent to MFapi.in, but no private credentials or account-modifying actions are shown.
The helper script makes outbound HTTPS GET requests to the disclosed MFapi.in service. This is central to the skill’s stated purpose and the artifacts do not show mutation, credential use, or unrelated endpoints.
BASE_URL = "https://api.mfapi.in" ... urllib.request.urlopen(req, timeout=30)
Use the skill for public fund-data lookups and avoid entering unrelated private financial account details.
Incorrect or stale cached scheme data could produce wrong lookup results until the cache is refreshed; the cache does not appear to store user secrets.
The script stores a reusable local cache of the public scheme list for 24 hours. This is disclosed and purpose-aligned, but a stale or locally modified cache could affect ISIN-to-scheme matching.
CACHE_PATH = Path("/tmp/mfapi-schemes.json")
CACHE_MAX_AGE = 86400Delete /tmp/mfapi-schemes.json if results look wrong or if you want to force a fresh scheme-list download.