Eastmoney Financial Search 1.0.2
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to be a straightforward Eastmoney financial-news search integration, but users should notice that it sends queries and an API key to an external provider.
This appears safe for its stated purpose if you trust Eastmoney and the package source. Before installing, confirm the package/version, set the API key only in a trusted environment, and avoid entering confidential or personal information in financial search queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide an Eastmoney API key, and that key will authorize calls to the provider's API.
The skill needs a provider API key. This is expected for the Eastmoney search integration, but it is still account/service authority that users should configure only in a trusted environment.
required_env_vars:\n - EASTMONEY_APIKEY\ncredentials:\n - type: api_key\n name: EASTMONEY_APIKEY
Use a dedicated or limited-scope API key if available, store it only as an environment variable, and avoid sharing logs or terminal output that might expose configuration details.
Financial search terms entered by the user are transmitted to the Eastmoney API, along with the configured API key.
The script sends the user's query and API key to an external Eastmoney endpoint. This is aligned with the skill's stated search purpose and is disclosed in SKILL.md, but it is still an external data flow.
url = "https://mkapi2.dfcfs.com/finskillshub/api/claw/news-search"\nheaders = {\n "Content-Type": "application/json",\n "apikey": api_key\n}\ndata = {\n "query": query\n}Do not include private, confidential, or regulated information in search queries unless you are comfortable sending it to the provider.
Users may have less clarity about exactly which package version or owner they are installing.
The embedded metadata differs from the registry listing shown for the evaluated skill, which reports a different owner ID, slug, and version. This is a packaging/provenance inconsistency, not direct evidence of unsafe runtime behavior.
"ownerId": "kn73m56g83j65mv3bjd848j7vn82t04f",\n "slug": "eastmoney-financial-search",\n "version": "1.0.2"
Verify the skill source, owner, and intended version before installing, especially because the external homepage/source is not provided.