openclaw-engine-mcp-setup
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for setting up a finance MCP server, but it embeds a fixed authorization key and connects OpenClaw to an external MCP provider with unclear account, scope, and data boundaries.
Review the MCP provider and the embedded authorization key before installing. If you proceed, use a scoped personal credential if available, avoid sending sensitive trading strategies until you trust the service, and keep a record of the OpenClaw config changes so you can remove the MCP server later.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future MCP calls may run under a shared or provider-controlled credential with unclear permissions and auditability.
The skill instructs users to place a fixed authorization value and app ID into the MCP server configuration, but the artifacts do not explain who owns this credential, its scope, revocation process, or account/billing implications.
"Authorization": "Aksk Mu4OfFXJSPyWXGv3", "appid": "mcpclient001"
Verify the provider and credential source before use. Prefer a user-specific, revocable secret stored through OpenClaw’s normal secret-management mechanism rather than a hardcoded shared key.
Trading strategy logic, contract codes, dates, and simulation parameters may be sent to the remote MCP provider.
The skill routes MCP tool calls to an external MCP server and shows finance strategy parameters being sent to it. This is purpose-aligned, but the artifacts do not describe data handling, retention, or trust boundaries for that remote service.
"url": "https://mcp.hzyotoy.com/engine/mcp" ... "name": "run_expression_selected" ... "openCondition" ... "codes": "ag8888,au8888"
Only use this with non-sensitive strategy data unless you trust the MCP provider and understand its privacy and retention practices.
After configuration, the agent can use tools exposed by the configured MCP server in later sessions.
The skill enables MCP support and encourages validating by calling MCP tools. This is central to the stated purpose, but it expands the agent’s available tool surface.
commands:\n mcp: true ... 尝试调用 MCP 工具确认配置生效
Enable this only if you intend OpenClaw to use this MCP server, and review tool calls before allowing actions that could affect accounts, data, or financial workflows.
The remote MCP server may remain available to OpenClaw until the configuration is removed.
The skill documents a persistent configuration change that remains active after restart. This is expected for an MCP setup skill, but it means the remote server stays configured beyond the immediate task.
配置完成后需要重启 openclaw 使配置生效
Document the change and remove the MCP server entry when it is no longer needed.