ebfx-cli-skill
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill matches its stated EBFX purpose, but it can use local login tokens to pull protected financial dashboard data through an unreviewed command-line tool.
Install only if you trust the local ebfx CLI and the EBFX account/token configuration on this machine. Before using it, confirm that OPENCLAW_SENDER_ID cannot be spoofed, token files are protected, and the user explicitly wants the agent to query sensitive financial dashboard or profit data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the sender binding or token files are misconfigured or exposed, the agent could query protected EBFX dashboard or profit data under the wrong identity.
This shows protected EBFX access is selected through a runtime sender identity and local per-sender tokens. The registry metadata declares no primary credential, environment variable, or config path, so the credential and account boundary is under-declared for a financial-data skill.
优先信任运行时注入的 `OPENCLAW_SENDER_ID` ... 受保护命令会按 sender 维度读取 token;不同 Lark 用户会命中不同 token 文件
Use only in an environment where the ebfx token files and OPENCLAW_SENDER_ID source are trusted and access-controlled; declare the credential/config requirements and require clear user intent before protected queries.
The agent may run EBFX CLI commands that return sensitive operational or profit information.
The skill directs the agent to execute a local CLI through exec. This is central to the stated purpose and the listed commands are specific, but command execution against a financial platform is still notable.
OpenClaw 通过 `exec` 调用 `ebfx` 时,优先信任运行时注入的 `OPENCLAW_SENDER_ID`
Review the command being run, keep usage tied to explicit user requests, and avoid running protected queries in shared or untrusted sessions.
Security depends on whatever ebfx binary is already present on the system, which ClawScan did not review here.
The reviewed package does not install or declare the ebfx executable even though the skill instructions depend on it, so the CLI binary and its handling of tokens/data are outside the provided artifacts.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Verify the ebfx CLI is installed from a trusted EBFX source, has the expected version, and is not shadowed by an unexpected executable on PATH.