eastmoney skills
PassAudited by ClawScan on May 1, 2026.
Overview
This stock-screening skill appears scoped and purpose-aligned, but it needs an Eastmoney API key, sends the user’s query to Eastmoney, and saves result files locally.
This skill looks reasonable for Eastmoney-based stock screening. Before installing, make sure you are comfortable sending your stock-screening keywords to mkapi2.dfcfs.com, provide MX_APIKEY only through a secure environment variable, and remember that CSV/raw JSON outputs will remain in the configured workspace unless you remove them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The stock-screening keyword you provide is sent to Eastmoney’s API for processing.
The code makes a scoped external POST request to the Eastmoney endpoint with the user’s query data. This is expected for the stock-screening purpose, but it is still an external API data flow.
BASE_URL = "https://mkapi2.dfcfs.com/finskillshub/api/claw/stock-screen" ... response = requests.post(self.BASE_URL, headers=headers, json=data, timeout=30)
Use this only for queries you are comfortable sending to that service, and avoid including unrelated personal information in the query.
Anyone running the skill must provide and protect an Eastmoney/Miaoxiang API key.
The skill reads an API key from the local environment and sends it as the API authentication header. This is purpose-aligned and not shown to be leaked elsewhere, but it is credential use.
self.api_key = api_key or os.getenv("MX_APIKEY") ... "apikey": self.api_keyStore MX_APIKEY securely, do not paste it into prompts or shared logs, and rotate it if you suspect exposure.
The installer or registry view may not clearly warn that the skill needs an API key before use.
The registry metadata under-declares the API-key requirement that SKILL.md and the code require. This is a packaging/setup disclosure gap, not evidence of hidden malicious behavior.
Required env vars: none ... Primary credential: none ... No install spec — this is an instruction-only skill.
Treat MX_APIKEY as a real required credential despite the registry metadata, and prefer an updated package that declares it explicitly.
Your query and the returned stock-screening data may remain in local workspace files after the task finishes.
The skill persists the raw API response, along with generated CSV and description files, to local storage. This is disclosed and purpose-aligned, but it leaves query/results artifacts on disk.
json_path = output_dir / f"mx_select_stock_{safe_name}_raw.json" ... json.dump(result, f, ensure_ascii=False, indent=2)Review or delete generated output files if the query or results are sensitive.