eastmoney skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says—manage a simulated stock account—but users should know it can place/cancel simulated trades, uses an API key, and saves account results locally.
Install only if you intend to connect a 妙想 simulated trading account. Configure the API key carefully, keep MX_API_URL pointed at the legitimate provider endpoint, review any buy/sell/cancel request before issuing it, and periodically clean the local output files if they contain account details.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with trade or cancel wording, the agent may change the user's simulated portfolio state.
The skill intentionally converts user wording into API calls that can submit simulated trades or cancel orders. This matches the stated simulator purpose, but it is a state-changing capability.
根据**用户问句**自动识别意图并调用对应接口... **买入卖出操作**... **撤单操作**
Use clear prompts and review order details before asking it to buy, sell, sell all, or cancel orders; the skill author should add an explicit confirmation step for mutating operations.
Anyone with the configured API key may be able to access or change the linked simulated trading account through the provider API.
The helper reads an API key from the environment and sends it as an authentication header to the configured API URL. This is expected for this provider integration, but it is credentialed account access.
MX_APIKEY = os.environ.get('MX_APIKEY') ... headers = { 'apikey': MX_APIKEY, 'Content-Type': 'application/json' }Only configure an API key from the legitimate provider page, keep it secret, and avoid setting MX_API_URL to an untrusted endpoint.
Simulated account details may remain on disk after use and could be read later by someone with access to the workspace.
The skill discloses that it saves raw API responses and text outputs locally. These files may contain simulated holdings, balances, orders, or trade history.
默认输出目录: `/root/.openclaw/workspace/mx_data/output/` ... `mx_stock_simulator_{query}.json` - API 原始 JSON 数据Treat the output directory as sensitive and delete exported JSON/text files when they are no longer needed.
If a user manually installs dependencies, the exact requests version may vary.
The Python dependency is not version-pinned. There is no automated install spec in the artifacts, so this is mainly a reproducibility/provenance note rather than evidence of unsafe installation.
requests
Pin dependency versions if this skill is packaged for automated installation.