BondInformation
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s bond-news purpose is coherent, but it handles the required API key unsafely by asking the agent to remember it and by sending it over plain HTTP.
Review the credential handling before installing. If you use it, avoid pasting API keys into chat, do not let the agent run `cat .env` on files containing other secrets, and prefer a secure environment-variable or credential-store setup. Also confirm FEEDAX provides a trusted HTTPS endpoint before sending account keys or sensitive query terms.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your API key, and possibly other secrets in the .env file, could enter the chat/context or be retained beyond the immediate request.
The instructions encourage exposing the contents of a local .env file and telling the agent an API key so it can remember it, rather than using a bounded credential store or only reading the specific FEEDAX_API_KEY value.
查看 `.env` 文件是否存在且包含有效的 API Key: ```bash cat .env ``` ... 完成后请告诉我 API Key 以便我记住
Do not paste the key into chat or let the agent read the full .env file; configure only FEEDAX_API_KEY through a secure credential or environment-variable mechanism and redact unrelated secrets.
The FEEDAX key and query activity could be visible to network intermediaries, proxies, or server logs, potentially allowing unauthorized use of the API account.
The script sends the API key to a raw IP address over plain HTTP and places the key in the URL/query string as well as a header.
FEEDAX_BASE_URL = "http://221.6.15.90:18011"
url = f"{FEEDAX_BASE_URL}/data-service/v1/news/bond/external/query?apiKey={api_key}"
params = {"apiKey": api_key}
headers = {
"Content-Type": "application/json",
"x-api-key": api_key
}Use an HTTPS endpoint with a verifiable domain, send the key only through a secure header or credential mechanism, and avoid duplicating secrets in URLs.
You may not realize before installation that the skill needs a third-party API credential and may use that credential to query FEEDAX.
A FEEDAX API key is expected for this integration, but the registry metadata declares no primary credential or required environment variable, so the credential requirement is under-disclosed.
**使用本技能前,必须先配置 API Key。** ```env FEEDAX_API_KEY=your_api_key_here ```
The skill should declare FEEDAX_API_KEY or the FEEDAX credential requirement in metadata, and users should provide only a least-privilege key intended for this service.
A future or environment-specific dependency version could behave differently from what the author tested.
The skill documents a manual, unpinned package install for requests. This is common and purpose-aligned for a Python API client, but it lacks a pinned version or lockfile.
### 1. 安装依赖 ```bash pip install requests ```
Install dependencies in a trusted virtual environment and prefer pinned requirements, for example a reviewed requirements.txt with a specific requests version.