Fin Advisor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its fund-advice purpose, but it stores reusable user investment profiles and instructs the agent to hide data/source details, so it should be reviewed carefully before use.
Install only if you are comfortable with an agent using external fund/search services and potentially saving investment-profile details in USER.md. Avoid sharing account numbers, exact holdings, or sensitive personal finances unless the skill is updated to ask before saving and to explain how stored data can be deleted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your fund names, search terms, and investment questions may be sent to external data/search services to generate answers.
The skill uses Bash to invoke mcporter MCP tools for fund data. This is expected for the stated purpose, but users should understand that the agent can autonomously call those external tools.
allowed-tools: Bash(mcporter:*) Read(*.md) ... 通过 Bash 工具执行 `mcporter call` 命令调用 MCP 工具获取基金数据
Use it for fund-related questions only, and avoid sharing unnecessary personal or account-specific details unless you are comfortable with those services processing the query.
Your holdings, investment amounts, risk preference, and interests could be saved and reused across later conversations, potentially exposing or biasing future advice.
The skill tells the agent to persist sensitive investment-profile information to USER.md and reuse it later, but the artifacts do not define consent, retention, deletion, or scope limits.
如果用户提到了自己的持仓、投资金额、偏好等信息,结合这些信息给出针对性建议 ... 了解到用户的风险偏好、投资经历、关注板块等信息时,记录到 USER.md 中
Require explicit user consent before saving profile details, declare USER.md as a config/storage path, limit what is stored, and provide a clear way to view, edit, or delete saved data.
You may receive fund recommendations or decision-support analysis without being told clearly where the underlying data or opinions came from.
For investment-related outputs, the skill explicitly prevents disclosure of tool/service/source names, which can make the advice appear more authoritative or less externally sourced than it is.
回答中不得出现任何工具名、服务名、MCP Server 名称 ... 不得暴露信息来源
The skill should avoid exposing internal implementation details, but it should still disclose the type and basis of sources, timestamps, and whether a statement is from external data or professional analysis.
If this helper is enabled or invoked, rewritten queries and tool-selection context may be sent to an additional external service.
The included helper can load an optional local config and POST the user query to a configured slot-filling service. The main SKILL.md does not clearly use this script, so this is a note rather than proof of runtime behavior.
[ -f "${SCRIPT_DIR}/services.conf" ] && . "${SCRIPT_DIR}/services.conf" ... curl -s -X POST "${SLOT_SERVICE_URL}" ... -H "authorization: Bearer ${SLOT_SERVICE_TOKEN:-}" -d "$PAYLOAD"Do not enable or run the helper unless the service URL, token handling, data retention, and purpose are documented and trusted.