ClawHub

Eastmoney Financial Data 1.0.2

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to do what it claims—query Eastmoney financial data—but users should notice that it sends queries and an API key to an external provider and has minor metadata/provenance inconsistencies.

This looks safe to use for its stated purpose if you intend to query Eastmoney data. Before installing, verify the publisher/version, store EASTMONEY_APIKEY securely, and avoid sending sensitive personal or account-specific details in query text.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone using the skill must provide an Eastmoney API key, and that key is used to authenticate requests to the provider.

Why it was flagged

The helper script reads a local API key and sends it as a request header. This is expected for the Eastmoney API, but it is still credential use that users should recognize.

Skill content
api_key = os.getenv("EASTMONEY_APIKEY") ... "apikey": api_key
Recommendation

Use a dedicated provider key if available, keep it in a trusted environment, and rotate it if you suspect exposure.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Financial questions entered through the skill may be sent to the Eastmoney API along with authentication.

Why it was flagged

The skill discloses that user query text is transmitted to an external API domain. This is aligned with the financial-data lookup purpose, but it is an external data flow.

Skill content
本 Skill 会将您的查询文本发送至东方财富官方 API 域名 ( `mkapi2.dfcfs.com` )
Recommendation

Avoid putting confidential, personal, or account-specific information into free-text queries unless you are comfortable sharing it with the provider.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

The package identity is not perfectly consistent across supplied artifacts, so users may want to verify they are installing the intended skill.

Why it was flagged

The embedded metadata differs from the supplied registry metadata, which lists a different owner ID, slug, and version. This is a provenance inconsistency, though the visible code remains coherent with the stated purpose.

Skill content
"ownerId": "kn73m56g83j65mv3bjd848j7vn82t04f", "slug": "eastmoney-financial-data", "version": "1.0.2"
Recommendation

Confirm the publisher and version in ClawHub before installing, especially because the source and homepage are not provided.