Eastmoney News
v1.0.0Provides real-time A-share market and financial news from Eastmoney based on user queries like market trends and stock updates.
⭐ 0· 326·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the behavior: SKILL.md and search.py both call a news-search API and parse title/content/date/source. Nothing in the files requests unrelated capabilities (no cloud credentials, no system-level access).
Instruction Scope
Instructions are narrowly scoped to calling the specified API and parsing JSON. However, both the SKILL.md and search.py include the exact external API URL and an embedded apikey value, so network traffic will be sent to mkapi2.dfcfs.com with that key—verify that this endpoint and key are trustworthy and that sending user queries there is acceptable.
Install Mechanism
No install spec (instruction-only) and only a small Python script provided. Nothing will be downloaded or written during install by an installer. The script uses the requests library but the skill does not attempt to install packages itself.
Credentials
The skill requests no environment variables or credentials from the user, which is reasonable. But it hard-codes an API key in both SKILL.md and search.py; while the key is necessary to call the listed API, embedding a key in code is a security/privacy concern and prevents users from supplying their own credentials.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.
Assessment
This skill appears to legitimately fetch Eastmoney-related news, but before installing: (1) verify the external endpoint (https://mkapi2.dfcfs.com) is a trusted/official provider for the data and acceptable under your privacy/compliance rules; (2) note the API key is embedded in the skill—consider asking the author to require a user-provided API key (via an env var) instead of a hard-coded one; (3) avoid sending sensitive or private data in queries because they will be transmitted to that third-party endpoint; (4) if you need stronger assurance, run the skill in an isolated environment and monitor outbound requests or request provenance/ownership info from the publisher.Like a lobster shell, security has layers — review code before you run it.
latestvk974h48sd6xs5g4esv8kceshns83amkh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.