ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SZFIU Market Data Bot

v1.0.13

FIU MCP Market Data and Trading Assistant. Use when user wants to query stock quotes, K-line, trade stocks, check positions, or analyze market data for HK/US...

1· 166·0 current·0 all-time
by@ulnit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env var (FIU_MCP_TOKEN), declared binaries (curl, jq, date, bash), and the scripts all consistently target FIU MCP endpoints (ai.szfiu.com) and implement market queries and simulated/real trades. The requested token is proportional and expected for this purpose.
Instruction Scope
Runtime instructions and scripts do more than just network calls: they create a ~/.fiu-market/config file and create/overwrite ~/.mcp.json (with a backup). That behaviour is coherent with the stated goal (integrating with MCP), but it modifies a shared configuration file used by other MCP-enabled tools — you should be aware it will change files in your home directory and may affect other tools.
Install Mechanism
There is no remote download/install URL; the repository includes shell scripts (install.sh, scripts/*.sh) and the SKILL.md expects the agent to run local bash commands. No archives or external code-hosting downloads are fetched during install. All external network calls go to ai.szfiu.com, which matches the skill's claimed service.
Credentials
Only FIU_MCP_TOKEN is required (declared as sensitive). No unrelated credentials or broad environment access are requested. The scripts read/write only user-local config files and the FIU token, which is proportionate to the functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges, but it writes persistent config files (~/.fiu-market/config and ~/.mcp.json). That persistent change to ~/.mcp.json could affect other MCP integrations; the scripts create a backup but will overwrite by default. Also real trading requires interactive confirmation in scripts (read -p), which may behave unexpectedly if run non-interactively by an agent.
Assessment
This skill appears to be what it claims (market data + trading via FIU MCP) and only asks for one token (FIU_MCP_TOKEN). Before installing or running: 1) Treat the FIU_MCP_TOKEN as sensitive — do not share it. 2) Review ~/.mcp.json after setup: the skill will create/overwrite that file (it does back it up as ~/.mcp.json.bak) and add seven ai.szfiu.com endpoints; if you use other MCP tools, merge rather than blindly overwrite. 3) Inspect the included scripts/install.sh yourself and run them manually if you prefer (there is no hidden remote download). 4) Start in SIMULATE mode and verify behaviour; the trade script asks for interactive confirmation for REAL trades (this may block if invoked non-interactively), so be cautious before attempting real trades. 5) Verify the ai.szfiu.com domain and the token source before entering credentials. If you want to reduce risk, keep a manual copy of your previous ~/.mcp.json and run the skill in a restricted environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk977jskza6e9bya5s9kb9m388h84r0hk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvFIU_MCP_TOKEN

Comments