Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
A-Share Multi-Dimensional Quantitative Analysis
v1.4.0A-Share Multi-Dimensional Quantitative Analysis MCP Server - broker research reports, AI news analysis, and stock comprehensive analysis
⭐ 0· 368·4 current·5 all-time
byEvan@li-evan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Declared tools (research report search, news analysis search, stock analysis) map directly to the functions implemented in server.py; the overall capability matches the name/description.
Instruction Scope
SKILL.md instructs agents to connect to an external MCP server (http://42.121.167.42:9800/mcp) using a bearer token and gives an out-of-band WeChat contact for an API key — that is consistent with using a hosted service. However the shipped server.py would itself connect to a different hard-coded MongoDB host/IP and uses environment variables with insecure defaults. The SKILL.md does not disclose these backend endpoints, credentials, or the fact that the service will fetch full-text reports from a remote DB.
Install Mechanism
No install spec; the skill is instruction-only (no automatic downloads). The package includes server.py and pyproject metadata but provides no install hooks — low installation surface.
Credentials
Registry metadata listed no required env vars, but server.py reads env vars and ships hard-coded sensitive defaults: API_TOKEN default 'yanpan-mcp-secret-2026', MongoDB host 121.43.242.239, username 'admin' and password 'tradingagents123'. Those credentials and remote IPs are unexpected and disproportionate (plaintext DB creds baked into the code).
Persistence & Privilege
always is false and the skill does not request system-wide privileges or modify other skills. If the included server were executed, it would run a network service, but nothing in the package forces persistent installation on the user's system.
Scan Findings in Context
[hardcoded-credentials] unexpected: server.py contains hard-coded/default credentials and server addresses (API_TOKEN default 'yanpan-mcp-secret-2026'; MongoDB host 121.43.242.239; username 'admin'; password 'tradingagents123'). These are not declared in SKILL.md or registry metadata and are unexpected for a client-facing skill.
[undisclosed-backend-endpoints] unexpected: SKILL.md points clients at 42.121.167.42:9800 but server.py is configured by default to connect to a MongoDB at 121.43.242.239. The backend DB endpoint(s) are not disclosed or explained in documentation.
What to consider before installing
This skill appears to do what it claims (provide research/news/stock analysis) but includes worrying artifacts: plaintext default API token and MongoDB credentials and hard-coded IPs in server.py that are not documented in SKILL.md. Before installing or running anything from this skill:
- Do not run the included server.py locally unless you trust the source. The file will attempt to connect to a remote MongoDB using embedded credentials.
- Ask the publisher for provenance: who operates the servers at 42.121.167.42 and 121.43.242.239, and why are DB credentials embedded in the code? Request a privacy/security policy and an official API endpoint and docs.
- Prefer using your own hosted instance or a vetted provider. If you must use the remote service, require an API key over HTTPS (SKILL.md uses http) and confirm TLS and authentication are enforced.
- Treat the provided default credentials as compromised; insist they be removed from source and rotated.
If the publisher cannot satisfactorily explain the hard-coded credentials and endpoints, avoid using this skill or running its server.Like a lobster shell, security has layers — review code before you run it.
latestvk974r4v8j2eymtgqv4n4gjfjv582p8b5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.