v1.0.0

Eastmoney News

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:52 AM.

Analysis

The skill matches its financial-news purpose, but it publicly embeds a reusable API key in its documentation and code.

GuidanceReview before installing. The news-search behavior itself is coherent, but the publisher should remove and rotate the embedded API key and document the credential model. Avoid sending private portfolio or personal information in search queries unless you trust the external API endpoint.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

search.py

API_KEY = "mkt_o2fBS-..."; headers = { "apikey": API_KEY }

The helper authenticates to the provider using a hardcoded API key rather than a user-supplied or provider-managed credential; the registry metadata also declares no credential requirement.

User impactAnyone who installs or reads the skill receives the same reusable provider key, so usage may be attributed to the key owner and the key could be abused, rate-limited, or revoked unexpectedly.

RecommendationRemove and rotate the embedded key. Require a documented, scoped credential through configuration or environment variables, and clearly disclose what service it accesses.