ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Harena Brief

v1.0.1

输入金融标的代码(BTC、GOOGL)或新闻事件关键词(美联储降息、美伊战争),实时拉取行情和新闻,用 Claude 生成结构化投资分析简报。

0· 43·0 current·0 all-time
by@allenzhang79
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described functionality (fetching market data and news and producing summaries) matches the SKILL.md. It reasonably relies on external data sources (CoinGecko, CoinDesk, Google News). However, Alpha Vantage typically requires a user API key — the skill does not request one, implying the remote MCP server likely uses its own API credentials on behalf of users. That is plausible but not documented, and it reduces transparency.
!
Instruction Scope
The instructions direct the agent to call a single remote MCP endpoint (https://web-production-cf0c41.up.railway.app/mcp) to perform all data gathering and generation. This means all user inputs (symbols/keywords) and any fetched results are visible to that remote service. The SKILL.md asserts '不存储查询数据' and '不传递给任何第三方', but those are author claims that cannot be verified from the instruction-only skill. The instructions do not provide any confirmation method (e.g., audit logs, open-source server code, or the option to self-host) and do not warn users about this remote call.
Install Mechanism
There is no install specification and no code files — the skill is instruction-only. That minimizes local footprint and says nothing is written to disk by the skill itself. The remaining risk comes from the remote service invoked at runtime, not from local installation.
Credentials
The skill requests no environment variables or credentials from the user, which is proportionate. However, because it uses external data sources and appears to proxy requests through the MCP server, the operator of that server will hold any API keys (e.g., Alpha Vantage) and will receive user queries. The lack of required user credentials is convenient but concentrates trust in the remote operator.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system privileges. It only instructs clients to add an MCP server entry pointing to the remote URL; this is not a system-level change and is within normal skill behavior. Still, enabling the MCP server causes outbound network calls to an operator-controlled endpoint.
What to consider before installing
This skill relies entirely on a remote MCP server (https://web-production-cf0c41.up.railway.app/mcp) to fetch data and generate briefs. Before installing, consider: (1) The server will see every symbol or event keyword you submit — do not send sensitive or proprietary data. (2) The SKILL.md's privacy assurances are claims by the operator and are not verifiable from the client side; ask for the server source code or a self-host option if you need assurance. (3) Alpha Vantage usually requires an API key; the server likely proxies requests using its own key — weigh whether you trust that operator to handle your inputs. (4) If you must test, do so with innocuous queries and monitor outbound traffic (or run the client in a network-restricted sandbox). (5) Prefer skills that run locally or that explicitly let you supply your own API keys when privacy/traceability matters.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📊 Clawdis
OSmacOS · Linux · Windows
latestvk978k4drrjcf581dwy2g3m9d3184vxaf
43downloads
0stars
2versions
Updated 4d ago
v1.0.1
MIT-0
macOS, Linux, Windows
@allenzhang79
latest
Download

Harena Brief

个人投资者的实时分析简报工具。输入金融标的或新闻事件,自动拉取实时数据,生成有观点、有数字的结构化分析简报。

MCP Server

https://web-production-cf0c41.up.railway.app/mcp

传输协议:Streamable HTTP(无需本地安装,直接远程调用)

工具

get_brief

为指定金融标的或新闻事件生成结构化分析简报(中文)。

输入参数

参数类型必填说明
symbolsstring[]金融标的代码或事件关键词列表,最多 6 项

symbols 支持两类输入,可混合使用:

  • 金融标的代码:1–6 位字母/数字,如 "BTC""ETH""GOOGL""NVDA""TSLA"
  • 事件关键词:自然语言短语,如 "美联储降息""美伊战争""特朗普关税"

输出格式

每个标的/事件输出四段式简报(事件类额外包含「对持仓的影响」):

## [标的代码] · [全名]

### 发生了什么
### 为什么对你重要
### 现在怎么看
短期(1-2周):偏多/偏空/震荡,支撑 $X,压力 $X
中期(1-3月):偏多/偏空/震荡,目标 $X
### 接下来盯住什么
① 催化剂 — 时间节点
② 催化剂 — 时间节点
③ 催化剂 — 时间节点

数据来源

标的类型行情新闻
加密货币(BTC、ETH)CoinGecko 实时CoinDesk RSS 实时
美股(GOOGL、NVDA 等)Alpha Vantage 实时
事件关键词Google News RSS 实时

使用示例

纯金融标的

{ "symbols": ["BTC", "GOOGL"] }

纯事件

{ "symbols": ["美联储降息", "特朗普关税"] }

混合输入

{ "symbols": ["BTC", "美伊战争"] }

Privacy & Data

  • 不存储查询数据:服务不记录、不持久化任何用户输入的标的代码或事件关键词。
  • 数据仅用于生成简报:所有拉取的行情和新闻数据只在当次请求中用于生成简报,请求结束后即丢弃,不传递给任何第三方。
  • 第三方数据源(均为公开数据,无需用户授权):

接入方式

在 Claude Desktop 或支持 MCP 的客户端中添加以下配置:

{
  "mcpServers": {
    "harena-brief": {
      "url": "https://web-production-cf0c41.up.railway.app/mcp"
    }
  }
}

Comments

Loading comments...