Skillv1.1.0

ClawScan security

A股智投大师 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 17, 2026, 3:54 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (A‑share analysis using East Money data), but there are inconsistencies around credential declaration and a few small surprises you should verify before installing.
Guidance: This skill looks functionally coherent for A‑share analysis, but it requires an East Money (妙想/东财) API key even though the registry metadata does not declare required env vars — verify the source before providing credentials. Actionable steps: - Confirm the API endpoint (mkapi2.dfcfs.com/finskillshub/api/claw) is the official endpoint associated with the API key you obtain from the 东方财富 app. - Expect to set MX_API_KEY or MX_SEARCH_API_KEY (the code reads these); the skill will not prompt for them at install time according to metadata, so pay attention to SKILL.md instructions. - Review and understand the auto-install of dependent skills (mx-data, mx-search, mx-select-stock, mx-selfselect, stock-monitor-skill) — those skills may need the same API key or other credentials and will increase the attack surface. - If you don’t trust the publisher or the endpoint, do not enter your real API key; test in an isolated account or sandbox first, and monitor API usage/quota after enabling the skill. If the publisher can update the registry metadata to declare the required env vars (MX_API_KEY / MX_SEARCH_API_KEY) and confirm the endpoint, the inconsistency would be resolved and increase trust.

Review Dimensions

Purpose & Capability: okName/description, README, SKILL.md and the Python code all align: this is an A‑share analysis skill that calls an East Money (妙想/东财) API and delegates tasks to mx-data, mx-search, mx-select-stock, mx-selfselect and stock-monitor-skill. No unrelated services or binaries are requested.
Instruction Scope: okSKILL.md instructs the agent to call the listed OpenClaw skills and to obtain/configure an East Money API key; runtime instructions do not ask the agent to read arbitrary local files or exfiltrate data beyond calls to the stated API endpoints and the other skills.
Install Mechanism: okThere is no install spec and only one included Python script. Nothing is downloaded or installed by the skill itself — lowest install risk for this package.
Credentials: concernThe public registry metadata lists no required environment variables or primary credential, but both SKILL.md and scripts/a_stock_analysis.py require an East Money API key (looks for MX_API_KEY or MX_SEARCH_API_KEY) and instruct the user to configure it into related skills. This metadata mismatch (declared none vs. actual required API key) is an inconsistency that reduces transparency. Also note the code makes network POST requests to https://mkapi2.dfcfs.com/finskillshub/api/claw — confirm that endpoint is legitimate for the API key you provide.
Persistence & Privilege: okalways is false, no special privileges requested, and the skill does not attempt to modify other skills' configs or persist credentials itself. Autonomous invocation is enabled by default but not combined here with other high‑risk factors.