ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw-engine-mcp-setup

v1.0.0

开启 openclaw MCP 功能并添加 MCP 服务器配置。Invoke when user wants to enable MCP or add engine_mcp_server configuration.

0· 85·0 current·0 all-time
byFrank@rxjhfmf
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description say: enable openclaw MCP and add engine_mcp_server configuration. The SKILL.md provides exact config snippets and JSON-RPC examples that directly implement that purpose. However, the file includes a literal Authorization header and appid in the example config even though the skill declares no required environment variables or credentials — embedding a token in the doc is unusual and should be justified.
!
Instruction Scope
Instructions only describe modifying the main OpenClaw config and restarting; that is within scope. Concern: the instructions include a concrete remote URL (https://mcp.hzyotoy.com/engine/mcp) and a literal Authorization header value. The skill does not instruct reading other system files, but providing a hard-coded credential and remote endpoint in the doc broadens the security surface and could lead users to paste a possibly real token into production configs.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes on-disk risks because nothing is downloaded or executed by the skill itself.
!
Credentials
The skill declares no required environment variables or credentials, yet the SKILL.md contains an explicit Authorization value and appid. That is a mismatch: if a credential is needed, it should be declared and the instructions should recommend using secure storage (env vars/secret manager) instead of embedding secrets in the document. The presence of a literal token (Authorization: "Aksk Mu4OfFXJSPyWXGv3") is unexpected and potentially sensitive.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system settings beyond advising a config change to OpenClaw. Autonomous invocation is allowed by platform default but not specifically problematic here.
What to consider before installing
This skill appears to do what it says (enable MCP and add an engine_mcp_server), but the SKILL.md contains a literal Authorization token and a specific server URL. Treat that token as potentially sensitive or a placeholder — do not blindly copy it into your production config. Before installing/using the skill: 1) Verify the skill author or source (there is no homepage or publisher info); 2) Confirm whether https://mcp.hzyotoy.com is a trusted endpoint for your environment; 3) Replace any credentials with tokens you control and store them in environment variables or a secret manager rather than embedding in config files; 4) Backup your OpenClaw configuration before making changes and test in a safe environment; 5) If in doubt, ask the skill author whether the shown Authorization value is a placeholder, and request instructions that use declared env vars (e.g., require OPENCLAW_MCP_AUTH) instead of hard-coded secrets. These steps will reduce the risk introduced by the undocumented credential in the documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rqeg441de8gd8m0yrfmbdn83pfcv
85downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
Frank@rxjhfmf
latest
Download

OpenClaw MCP 配置技能

🎯 技能功能

本技能用于:

  1. 开启 openclaw 的 MCP 功能
  2. 添加 engine_mcp_server 的 MCP 服务器配置

📋 配置说明

1. 开启 MCP 功能

在主配置文件中启用 MCP 功能:

commands:
  mcp: true

2. 添加 MCP Server 配置

在主配置文件中添加 MCP Server 配置:

"mcp": {
  "servers": {
    "engine_mcp_server": {
      "url": "https://mcp.hzyotoy.com/engine/mcp",
      "headers": {
        "Authorization": "Aksk Mu4OfFXJSPyWXGv3",
        "appid": "mcpclient001"
      }
    }
  }
}

🔧 使用场景

当用户需要:

  • 开启 openclaw 的 MCP 功能
  • 配置 engine_mcp_server 服务器
  • 使用 Finance Engine MCP 服务器执行量化策略
  • 回测交易策略或执行金融分析

⚠️ 注意事项

  1. 确保 openclaw 版本 >= 2026.3.24
  2. 如需升级 openclaw,请使用 openclaw update 命令
  3. 配置完成后需要重启 openclaw 使配置生效
  4. 确保 Authorization 和 appid 配置正确

📝 完整配置示例

{
  "commands": {
    "mcp": true
  },
  "mcp": {
    "servers": {
      "engine_mcp_server": {
        "url": "https://mcp.hzyotoy.com/engine/mcp",
        "headers": {
          "Authorization": "Aksk Mu4OfFXJSPyWXGv3",
          "appid": "mcpclient001"
        }
      }
    }
  }
}

✅ 验证配置

配置完成后,可以通过以下方式验证:

  1. 检查主配置文件中 commands.mcp 是否为 true
  2. 检查 mcp.servers 中是否包含 engine_mcp_server
  3. 尝试调用 MCP 工具确认配置生效

🔄 标准 JSON-RPC 调用格式

MCP 工具标准调用格式

当调用 MCP 工具时,必须使用以下标准的 JSON-RPC 格式:

{
  "method": "tools/call",
  "params": {
    "name": "run_expression_selected",
    "arguments": {
      "input": {
        "startDate": "2023-01-17T00:00",
        "endDate": "2026-04-17T00:00",
        "openCondition": "_close_5m > MAX(_box_15m_green_high, REF(_box_15m_green_high, 1)) && _dkx_30m_cross_status == 1",
        "closeCondition": "_close_5m < MIN(_box_15m_red_low, REF(_box_15m_red_low, 1)) && _dkx_30m_cross_status == -1",
        "period": "5m",
        "poolId": 10,
        "codes": "ag8888,au8888",
        "initCash": 10000000,
        "direction": 1,
        "commssionFee": 0,
        "slippage": 0,
        "runId": 1
      }
    },
    "_meta": {
      "progressToken": 82
    }
  }
}

JSON-RPC 参数说明

字段类型说明示例
methodstring调用的方法名"tools/call"
params.namestringMCP 工具名称"run_expression_selected"
params.argumentsobject工具参数对象{ "input": {...} }
params.arguments.inputobject策略输入参数见下方详细说明
params._metaobject元数据(可选){ "progressToken": 82 }

input 对象参数说明

参数类型说明示例
startDateDateTime开始日期"2023-01-17T00:00"
endDateDateTime结束日期"2026-04-17T00:00"
openConditionstring开仓条件"_close_5m > MAX(_box_15m_green_high, REF(_box_15m_green_high, 1)) && _dkx_30m_cross_status == 1"
closeConditionstring平仓条件"_close_5m < MIN(_box_15m_red_low, REF(_box_15m_red_low, 1)) && _dkx_30m_cross_status == -1"
periodstring基础周期"5m"
poolIdint品种池ID10
codesstring合约代码列表"ag8888,au8888"
initCashfloat初始资金10000000
directionint交易方向1(多头)
commssionFeefloat手续费%0
slippagefloat跳数或跳点值0
runIdlong运行ID1

调用示例

示例1:使用品种池回测

{
  "method": "tools/call",
  "params": {
    "name": "run_expression_selected",
    "arguments": {
      "input": {
        "startDate": "2025-12-25T00:00",
        "endDate": "2026-03-25T00:00",
        "openCondition": "_ma_5m_30_trend == 1 && _dkx_1d_cross_status == 1",
        "closeCondition": "_ma_5m_30_trend == -1 && _dkx_1d_cross_status == -1",
        "period": "5m",
        "poolId": 10,
        "codes": "",
        "initCash": 10000000,
        "direction": 1,
        "commssionFee": 0,
        "slippage": 0,
        "runId": 1774578250123
      }
    }
  }
}

Comments

Loading comments...