Betalpha Finance
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only finance data skill is coherent and discloses its API token, local config files, and network use, but users should understand that it sends a Betalpha token and query codes to ai.firstindex.cn.
This skill appears safe for its stated purpose if you trust ai.firstindex.cn. Before installing, understand that you must provide a Betalpha API token, it will be stored under ~/.config/betalpha/, and it will be sent to ai.firstindex.cn when you request finance data. Configure the token manually where possible, keep the file private, and avoid using the skill for investment decisions without independent verification.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill needs to protect the Betalpha API token because it may grant access to the user's finance-data service account.
The skill requires a service API token stored in a local file to authenticate finance-data requests. This is expected for the stated API integration and is clearly disclosed.
API Token | 字符串 | `~/.config/betalpha/api_key.txt` | 认证用户身份,访问金融数据 API
Use the manual configuration method, set restrictive file permissions, and avoid pasting the token into chats unless you accept that it may appear in conversation history.
The service provider will receive the token and the securities or fund codes you query.
The artifacts disclose that the API token and requested stock/fund identifiers are sent to ai.firstindex.cn for finance-data queries.
"data": ["API Token (在请求头中)", "股票/基金代码"], "purpose": "查询金融数据"
Install only if you trust ai.firstindex.cn with your Betalpha token and finance-data lookup requests.
Future queries may rely on endpoint information previously provided by the remote discovery service.
The skill uses and may cache dynamic API-discovery data from the external service. This is central to the stated purpose, but cached remote metadata can influence later endpoint selection.
访问 `https://ai.firstindex.cn/api/discovery` ... 获取最新的 API 端点列表 ... 更新本地缓存(可选:保存到 `~/.config/betalpha/api_cache.json`)
Treat discovery responses as endpoint metadata only, keep requests constrained to ai.firstindex.cn, and delete the cache if behavior looks unexpected.
It may be harder to verify who maintains the skill or where its source of record is.
The package metadata contains placeholder author and repository information, which weakens provenance even though the instruction-only behavior itself is disclosed and purpose-aligned.
"author": { "name": "Your Name", "email": "your.email@example.com" ... }, "repository": { "url": "https://github.com/yourusername/betalpha-gateway-skill" }Prefer installing after confirming the publisher and service domain are legitimate, especially before configuring an API token.