firstdata
AdvisoryAudited by VirusTotal on Mar 23, 2026.
Overview
Type: OpenClaw Skill Name: firstdata Version: 0.0.2 The FirstData skill bundle is a legitimate tool designed to help agents locate authoritative primary data sources via an MCP server. It provides clear documentation in SKILL.md and references/firstdata-register.md for connecting to its official API endpoint (firstdata.deepminer.com.cn) and obtaining an API key through a transparent registration process. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Lookup requests and any context included in them may be sent to the external FirstData MCP service.
The skill routes use through an external MCP provider whose tool list is obtained remotely. This is disclosed and aligned with the skill's purpose, but it creates a provider boundary users should notice.
This skill connects to the FirstData MCP server (`firstdata.deepminer.com.cn`) ... Once connected, browse the tool list provided by the firstdata MCP
Use the skill for source-finding queries, avoid sending unnecessary sensitive data, and review the MCP endpoint and tool list before relying on it.
If the token is exposed, someone else could use the FirstData API under the registered agent identity until the token expires or is revoked.
The service uses a long-lived bearer token for authentication. This is expected for the integration, but possession of the token grants access to the FirstData API quota/account context.
Use the activated `access_token` as `FIRSTDATA_API_KEY` ... The token is a JWT and is valid for **365 days** by default
Store the API key as a secret, do not paste it into chats or logs, and rotate or revoke it if exposed.
Using the npx setup path may run code from the npm ecosystem and persist an MCP server configuration.
The recommended setup can execute an unpinned npm CLI via npx to modify MCP configuration. It is user-directed and purpose-aligned, but depends on trusting the mcporter package source at setup time.
npx mcporter config add firstdata https://firstdata.deepminer.com.cn/mcp --header 'Authorization=Bearer ${FIRSTDATA_API_KEY}'Prefer a trusted or pinned MCPorter version, or use the documented manual MCP configuration if you want to avoid npx-based setup.