ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ifind-finance-data/同花顺金融数据

v1.0.1

iFinD (同花顺) financial data query - query stocks, funds, macroeconomics, industry economics, news and announcements. Supports smart stock/fund screening, fina...

2· 75·3 current·3 all-time
by@kooui
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the included code and endpoints. The skill calls iFinD MCP endpoints (api-mcp.51ifind.com) and provides functions for stock/fund/macro/news queries, consistent with its description. The only credential needed is an iFinD MCP auth token stored in mcp_config.json, which is appropriate for this purpose.
Instruction Scope
SKILL.md confines instructions to using the provided Python/Node wrappers and instructs users to obtain and store an MCP auth token in mcp_config.json. It does not instruct reading unrelated files or exfiltrating arbitrary data. It does note the agent can help the user write the token to the config file (which implies file writes will occur).
Install Mechanism
No install spec; the skill is instruction/code-only. Provided scripts use only standard libraries (Node.js built-ins and Python requests). No downloads from third-party URLs or package installs declared in the manifest.
!
Credentials
The skill declares no required env vars but requires an auth token stored in mcp_config.json (present in the package as a template). Requesting a single service token is proportionate. However, both code files disable TLS certificate verification (Node: rejectUnauthorized=false; Python: verify=False), which weakens transport security and increases the risk that the auth token could be intercepted or subject to MITM. The skill will read a local file containing a sensitive token and may prompt/help the user to write it.
Persistence & Privilege
always is false and there are no indications the skill requests elevated or persistent system privileges. It only reads a local mcp_config.json and does not modify other skills or system-wide agent settings.
Assessment
This skill is coherent with its stated purpose: it wraps iFinD MCP APIs and requires an iFinD MCP auth token stored in mcp_config.json. Before installing, consider: 1) The code disables TLS verification (rejectUnauthorized=false / verify=False). That is insecure — it can expose your auth token to network attackers. If you plan to use it, change the code to enable certificate verification or ensure you run in a trusted network. 2) The auth token will be stored in a local file; keep that file protected (restrict filesystem permissions) and do not paste the token into chat or public channels. 3) The endpoints used are api-mcp.51ifind.com, which matches the skill homepage; verify this is the vendor endpoint you expect. 4) The Python script requires the requests library; install it in a controlled environment. 5) If you cannot or do not want to store a long-lived token on disk, do not install or provide the token. Overall the skill appears to do what it says, but fix the TLS verification and treat the auth token as sensitive before use.

Like a lobster shell, security has layers — review code before you run it.

ai-financevk97578bz1z95m285z0ph15cgzn83q1q9bond-datavk97578bz1z95m285z0ph15cgzn83q1q9company-profilesvk97578bz1z95m285z0ph15cgzn83q1q9data-visualizationvk97578bz1z95m285z0ph15cgzn83q1q9esg-ratingsvk97578bz1z95m285z0ph15cgzn83q1q9event-drivenvk97578bz1z95m285z0ph15cgzn83q1q9finance-datavk97578bz1z95m285z0ph15cgzn83q1q9financial-modelingvk97578bz1z95m285z0ph15cgzn83q1q9financial-statementsvk97578bz1z95m285z0ph15cgzn83q1q9fund-analysisvk97578bz1z95m285z0ph15cgzn83q1q9futures-optionsvk97578bz1z95m285z0ph15cgzn83q1q9industry-datavk97578bz1z95m285z0ph15cgzn83q1q9investment-researchvk97578bz1z95m285z0ph15cgzn83q1q9latestvk97578bz1z95m285z0ph15cgzn83q1q9macro-economicsvk97578bz1z95m285z0ph15cgzn83q1q9market-quotesvk97578bz1z95m285z0ph15cgzn83q1q9portfolio-managementvk97578bz1z95m285z0ph15cgzn83q1q9quantitative-analysisvk97578bz1z95m285z0ph15cgzn83q1q9risk-assessmentvk97578bz1z95m285z0ph15cgzn83q1q9smart-searchvk97578bz1z95m285z0ph15cgzn83q1q9stock-marketvk97578bz1z95m285z0ph15cgzn83q1q9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments