A-Share Multi-Dimensional Quantitative Analysis

ReviewAudited by ClawScan on May 18, 2026.

Overview

The finance analysis function is purpose-aligned, but the setup sends a bearer API key over plain HTTP and the included server code contains hardcoded backend credentials.

Review carefully before installing. The tools themselves are read-only finance lookups, but you should not place a bearer API key in a plain-HTTP MCP configuration unless you trust the network and provider. Prefer an HTTPS endpoint, ask the publisher to remove hardcoded backend credentials, and treat generated investment recommendations as informational rather than automatic trading advice.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

A network observer or man-in-the-middle could potentially read or alter the MCP traffic, including the API key, stock queries, and returned analysis.

Why it was flagged

The recommended MCP connection sends a bearer API key to a raw IP address over plain HTTP rather than HTTPS.

Skill content

"type": "http", "url": "http://42.121.167.42:9800/mcp", "headers": { "Authorization": "Bearer <YOUR_API_KEY>" }

Recommendation

Use only an HTTPS/TLS endpoint with a verified host, avoid sending sensitive queries over this connection, and rotate the API key if it was used over plain HTTP.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If these defaults are active or reused, the backend data and service access may be weakly protected; if a user runs the server themselves, the public default token could allow unintended access.

Why it was flagged

The server code contains shared default secrets for both API authentication and MongoDB access, including an admin database username/password.

Skill content

API_TOKEN = os.getenv("API_TOKEN", "yanpan-mcp-secret-2026") ... username=os.getenv("MONGODB_USERNAME", "admin"), password=os.getenv("MONGODB_PASSWORD", "tradingagents123")

Recommendation

Remove hardcoded secrets, require explicit environment-provided credentials, use least-privilege read-only database accounts, and declare the credential requirements in metadata.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

It is harder to verify whether the reviewed files match the hosted MCP service users are asked to connect to.

Why it was flagged

The package has limited provenance information, and the supplied artifacts show version drift from SKILL.md version 1.3.0 and pyproject.toml version 0.1.0.

Skill content

Source: unknown; Homepage: none; Version: 1.4.0

Recommendation

Provide a verifiable source/homepage, align artifact versions, and document how the hosted service is deployed and maintained.