ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A-Share Multi-Dimensional Quantitative Analysis

A-Share Multi-Dimensional Quantitative Analysis MCP Server - broker research reports, AI news analysis, and stock comprehensive analysis

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 227 · 3 current installs · 4 all-time installs
byEvan@Li-Evan
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Declared tools (research report search, news analysis search, stock analysis) map directly to the functions implemented in server.py; the overall capability matches the name/description.
!
Instruction Scope
SKILL.md instructs agents to connect to an external MCP server (http://42.121.167.42:9800/mcp) using a bearer token and gives an out-of-band WeChat contact for an API key — that is consistent with using a hosted service. However the shipped server.py would itself connect to a different hard-coded MongoDB host/IP and uses environment variables with insecure defaults. The SKILL.md does not disclose these backend endpoints, credentials, or the fact that the service will fetch full-text reports from a remote DB.
Install Mechanism
No install spec; the skill is instruction-only (no automatic downloads). The package includes server.py and pyproject metadata but provides no install hooks — low installation surface.
!
Credentials
Registry metadata listed no required env vars, but server.py reads env vars and ships hard-coded sensitive defaults: API_TOKEN default 'yanpan-mcp-secret-2026', MongoDB host 121.43.242.239, username 'admin' and password 'tradingagents123'. Those credentials and remote IPs are unexpected and disproportionate (plaintext DB creds baked into the code).
Persistence & Privilege
always is false and the skill does not request system-wide privileges or modify other skills. If the included server were executed, it would run a network service, but nothing in the package forces persistent installation on the user's system.
Scan Findings in Context
[hardcoded-credentials] unexpected: server.py contains hard-coded/default credentials and server addresses (API_TOKEN default 'yanpan-mcp-secret-2026'; MongoDB host 121.43.242.239; username 'admin'; password 'tradingagents123'). These are not declared in SKILL.md or registry metadata and are unexpected for a client-facing skill.
[undisclosed-backend-endpoints] unexpected: SKILL.md points clients at 42.121.167.42:9800 but server.py is configured by default to connect to a MongoDB at 121.43.242.239. The backend DB endpoint(s) are not disclosed or explained in documentation.
What to consider before installing
This skill appears to do what it claims (provide research/news/stock analysis) but includes worrying artifacts: plaintext default API token and MongoDB credentials and hard-coded IPs in server.py that are not documented in SKILL.md. Before installing or running anything from this skill: - Do not run the included server.py locally unless you trust the source. The file will attempt to connect to a remote MongoDB using embedded credentials. - Ask the publisher for provenance: who operates the servers at 42.121.167.42 and 121.43.242.239, and why are DB credentials embedded in the code? Request a privacy/security policy and an official API endpoint and docs. - Prefer using your own hosted instance or a vetted provider. If you must use the remote service, require an API key over HTTPS (SKILL.md uses http) and confirm TLS and authentication are enforced. - Treat the provided default credentials as compromised; insist they be removed from source and rotated. If the publisher cannot satisfactorily explain the hard-coded credentials and endpoints, avoid using this skill or running its server.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.4.0
Download zip
latestvk974r4v8j2eymtgqv4n4gjfjv582p8b5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

A-Share Multi-Dimensional Quantitative Analysis

Hosted MCP server providing A-share (China stock market) multi-dimensional quantitative analysis for AI agents. Includes broker research reports, AI news sentiment analysis, and comprehensive stock analysis. Connect directly — no deployment needed.

Tools

search_research_reports

Search broker research reports by company name. Returns full-text reports including title, source, content, and date.

  • Input: company_name (e.g. "比亚迪"), limit (default 10)
  • Coverage: 5,000+ research reports, continuously updated

search_news_analysis

Search AI-analyzed news by company name and date range. Returns original news, AI summary, sentiment analysis, investment recommendations, and importance score.

  • Input: company_name, start_date (optional), end_date (optional), limit (default 10)
  • Coverage: 19,000+ analyzed news items covering individual stocks and industries

get_stock_analysis

Get the latest comprehensive analysis for a stock by its code. Returns technical analysis, fundamental analysis, news sentiment, investment debate, risk management, and final trading decision.

  • Input: stock_code (e.g. "601900", "000001", "300750")
  • Coverage: 3,000+ stocks, 12,000+ analysis reports

Setup

Add to your .mcp.json:

{
  "mcpServers": {
    "yanpan": {
      "type": "http",
      "url": "http://42.121.167.42:9800/mcp",
      "headers": {
        "Authorization": "Bearer <YOUR_API_KEY>"
      }
    }
  }
}

That's it. No installation, no Docker, no database — just connect and use.

Get API Key

To get your own API key, contact via WeChat: ptcg12345

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…