ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A-Share Multi-Dimensional Quantitative Analysis

v1.4.0

A-Share Multi-Dimensional Quantitative Analysis MCP Server - broker research reports, AI news analysis, and stock comprehensive analysis

0· 482·4 current·5 all-time
byEvan@li-evan

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for li-evan/a-share-multidim-quant-analysis.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "A-Share Multi-Dimensional Quantitative Analysis" (li-evan/a-share-multidim-quant-analysis) from ClawHub.
Skill page: https://clawhub.ai/li-evan/a-share-multidim-quant-analysis
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install a-share-multidim-quant-analysis

ClawHub CLI

Package manager switcher

npx clawhub@latest install a-share-multidim-quant-analysis
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Declared tools (research report search, news analysis search, stock analysis) map directly to the functions implemented in server.py; the overall capability matches the name/description.
!
Instruction Scope
SKILL.md instructs agents to connect to an external MCP server (http://42.121.167.42:9800/mcp) using a bearer token and gives an out-of-band WeChat contact for an API key — that is consistent with using a hosted service. However the shipped server.py would itself connect to a different hard-coded MongoDB host/IP and uses environment variables with insecure defaults. The SKILL.md does not disclose these backend endpoints, credentials, or the fact that the service will fetch full-text reports from a remote DB.
Install Mechanism
No install spec; the skill is instruction-only (no automatic downloads). The package includes server.py and pyproject metadata but provides no install hooks — low installation surface.
!
Credentials
Registry metadata listed no required env vars, but server.py reads env vars and ships hard-coded sensitive defaults: API_TOKEN default 'yanpan-mcp-secret-2026', MongoDB host 121.43.242.239, username 'admin' and password 'tradingagents123'. Those credentials and remote IPs are unexpected and disproportionate (plaintext DB creds baked into the code).
Persistence & Privilege
always is false and the skill does not request system-wide privileges or modify other skills. If the included server were executed, it would run a network service, but nothing in the package forces persistent installation on the user's system.
Scan Findings in Context
[hardcoded-credentials] unexpected: server.py contains hard-coded/default credentials and server addresses (API_TOKEN default 'yanpan-mcp-secret-2026'; MongoDB host 121.43.242.239; username 'admin'; password 'tradingagents123'). These are not declared in SKILL.md or registry metadata and are unexpected for a client-facing skill.
[undisclosed-backend-endpoints] unexpected: SKILL.md points clients at 42.121.167.42:9800 but server.py is configured by default to connect to a MongoDB at 121.43.242.239. The backend DB endpoint(s) are not disclosed or explained in documentation.
What to consider before installing
This skill appears to do what it claims (provide research/news/stock analysis) but includes worrying artifacts: plaintext default API token and MongoDB credentials and hard-coded IPs in server.py that are not documented in SKILL.md. Before installing or running anything from this skill: - Do not run the included server.py locally unless you trust the source. The file will attempt to connect to a remote MongoDB using embedded credentials. - Ask the publisher for provenance: who operates the servers at 42.121.167.42 and 121.43.242.239, and why are DB credentials embedded in the code? Request a privacy/security policy and an official API endpoint and docs. - Prefer using your own hosted instance or a vetted provider. If you must use the remote service, require an API key over HTTPS (SKILL.md uses http) and confirm TLS and authentication are enforced. - Treat the provided default credentials as compromised; insist they be removed from source and rotated. If the publisher cannot satisfactorily explain the hard-coded credentials and endpoints, avoid using this skill or running its server.

Like a lobster shell, security has layers — review code before you run it.

latestvk974r4v8j2eymtgqv4n4gjfjv582p8b5
482downloads
0stars
2versions
Updated 15h ago
v1.4.0
MIT-0
Evan@li-evan
latest
Download

A-Share Multi-Dimensional Quantitative Analysis

Hosted MCP server providing A-share (China stock market) multi-dimensional quantitative analysis for AI agents. Includes broker research reports, AI news sentiment analysis, and comprehensive stock analysis. Connect directly — no deployment needed.

Tools

search_research_reports

Search broker research reports by company name. Returns full-text reports including title, source, content, and date.

  • Input: company_name (e.g. "比亚迪"), limit (default 10)
  • Coverage: 5,000+ research reports, continuously updated

search_news_analysis

Search AI-analyzed news by company name and date range. Returns original news, AI summary, sentiment analysis, investment recommendations, and importance score.

  • Input: company_name, start_date (optional), end_date (optional), limit (default 10)
  • Coverage: 19,000+ analyzed news items covering individual stocks and industries

get_stock_analysis

Get the latest comprehensive analysis for a stock by its code. Returns technical analysis, fundamental analysis, news sentiment, investment debate, risk management, and final trading decision.

  • Input: stock_code (e.g. "601900", "000001", "300750")
  • Coverage: 3,000+ stocks, 12,000+ analysis reports

Setup

Add to your .mcp.json:

{
  "mcpServers": {
    "yanpan": {
      "type": "http",
      "url": "http://42.121.167.42:9800/mcp",
      "headers": {
        "Authorization": "Bearer <YOUR_API_KEY>"
      }
    }
  }
}

That's it. No installation, no Docker, no database — just connect and use.

Get API Key

To get your own API key, contact via WeChat: ptcg12345

Comments

Loading comments...