场外基金查询
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to only query public fund data from Eastmoney/Tiantian Fund and does not request credentials, read local files, persist data, or change accounts.
This looks safe for its stated purpose: querying public fund information. Before installing, be comfortable with fund-code queries being sent to Eastmoney/Tiantian Fund over the network, and verify financial data independently before making investment decisions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A fund code you ask about is sent to public Eastmoney/Tiantian Fund endpoints, and displayed fund data depends on that external service and network path.
The script makes outbound HTTP API requests using the user-provided, validated fund code. This is disclosed and purpose-aligned, but users should be aware that queries leave the local environment and plaintext HTTP can affect data integrity.
url = f"http://fundgz.1234567.com.cn/js/{fund_code}.js" ... url = f"http://api.fund.eastmoney.com/f10/lsjz?fundCode={fund_code}&pageIndex=1&pageSize={page_size}"Use the skill for informational lookups, verify important financial values with a trusted source before acting, and prefer HTTPS endpoints if the provider supports them.