eastmoney skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for financial data lookup, but users should notice that it uses an Eastmoney API key, sends queries to an external API, and saves result files locally.
This skill is reasonable for Eastmoney financial data lookup. Before installing, confirm you trust the Eastmoney API endpoint, set MX_APIKEY only in a trusted environment, avoid sending sensitive investment queries unless acceptable, and periodically clean the generated output files if they contain private information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your financial query text is sent to Eastmoney's API to retrieve data.
The code sends the user's query to a fixed external Eastmoney API endpoint. This is central to the skill's stated financial-data purpose and is disclosed, but users should know their query text leaves the local environment.
BASE_URL = "https://mkapi2.dfcfs.com/finskillshub/api/claw/query" ... response = requests.post(self.BASE_URL, headers=headers, json=data, timeout=30)
Use the skill only when you are comfortable sending the query content to the listed Eastmoney API endpoint.
The skill can use your Eastmoney API key to make financial-data requests.
The skill reads an MX_APIKEY credential from the environment and uses it in the API request header. This is expected for the service, but the registry metadata says no required environment variables and no primary credential.
self.api_key = api_key or os.getenv("MX_APIKEY") ... "apikey": self.api_keyProvide only the intended Eastmoney API key, keep it in a trusted environment, and revoke or rotate it if it is exposed.
Financial query results and raw API responses may remain in local output files.
The skill discloses that it saves retrieved results, including raw API JSON, under a local workspace path. This is purpose-aligned, but it means query outputs may persist beyond the immediate interaction.
默认输出目录: `/root/.openclaw/workspace/mx_data/output/`(自动创建) ... `mx_data_{query}_raw.json` - API 原始 JSON 数据Review or delete generated output files if the queries or returned data are sensitive.