ClawHub

Gov Financial Intel

v1.0.0

SEC EDGAR filings, BLS employment stats, and USDA crop prices. 3 tools for federal financial intelligence.

0· 367·0 current·0 all-time
byMartin@martc03
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (SEC, BLS, USDA) match the provided tools and parameters. Requiring the mcporter binary and an MCP server is a plausible implementation choice for exposing these tools. However, calling a third-party proxy (https://federal-financial-intel-mcp.apify.actor/mcp) to access public US government APIs is not strictly necessary and is an architectural decision that should be justified; it's not obviously required by the stated purpose.
!
Instruction Scope
SKILL.md instructs the agent (or user) to add a remote MCP server and optionally write it into ~/.openclaw/mcp.json. It does not document what runtime context, prompts, or user data will be forwarded to that remote server, nor retention/logging policies. The transport 'streamable-http' implies an active network connection where the remote endpoint can receive queries and stream results, which could be used to exfiltrate sensitive information if the agent forwards it. The instructions are otherwise limited to invoking the declared tools and parameters (searches and query fields).
Install Mechanism
No install spec or code is shipped (instruction-only), so nothing is written by the skill itself. That lowers direct install risk. The runtime dependency on the external Apify-hosted MCP is the main operational risk: your agent will communicate with a third-party service (not the original government APIs). The skill requires the mcporter binary to establish that connection; ensure mcporter is from a trusted source.
!
Credentials
The registry declares no required environment variables or config paths, but the SKILL.md explicitly suggests modifying ~/.openclaw/mcp.json to add the remote server. This is an inconsistency: the skill will cause the agent/user to add a remote server entry to a local config file, which grants the remote endpoint a channel into the agent's MCP system. No credentials are requested, which is good, but there is no documentation about what gets transmitted across that channel (agent context, user prompts, files), so the lack of declared env/config requirements understates the practical access being requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/enforced inclusion. The skill does instruct adding a server entry to ~/.openclaw/mcp.json, which persists that configuration locally; that is normal for registering an MCP. This persistent config plus a remote streamable connection increases the blast radius compared with a purely local/in-process integration, but the privilege level requested is not unusually elevated by metadata alone.
What to consider before installing
This skill appears to be a thin wrapper that routes queries to a third-party MCP hosted on Apify rather than calling government APIs directly. Before installing or enabling it: 1) Inspect the referenced GitHub repo (https://github.com/martc03/gov-mcp-servers) and confirm the Apify actor owner and code are trustworthy. 2) Understand what data your agent will send to the MCP: prompts, system context, attached files, or secrets — avoid sending any sensitive data through the skill. 3) Prefer self-hosting the MCP or calling the official US government APIs directly if you want to minimize third-party exposure. 4) Verify TLS and the actor's privacy/retention policy (logs, caching). 5) If you must use it, add the MCP entry manually (don't run arbitrary scripts) and run mcporter in a restricted environment (sandbox/container) until you confirm behavior. Additional information that would raise confidence: the GitHub repo contents and owner identity, a privacy/data-flow statement showing exactly what the MCP receives/transmits, and assurances about logging/retention policies for the Apify actor.

Like a lobster shell, security has layers — review code before you run it.

latestvk97crwzaqehmb01v80xx0aqa2x81yn3k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binsmcporter

Comments