Mcp Server
v2.1.263 deterministic quantitative finance calculations via MCP. Options pricing, Greeks, implied volatility, exotic derivatives, risk metrics, portfolio optimiza...
⭐ 0· 14·0 current·0 all-time
by@fel123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description claim a MCP-backed quantitative finance toolset; the package provides a Node MCP server that fetches an OpenAPI spec and exposes the described tools. Required binary 'node' is appropriate and dependencies (express, @modelcontextprotocol/sdk) align with implementing an MCP server.
Instruction Scope
SKILL.md and code both point to a remote backend (default BACKEND_URL https://api.quantoracle.dev) and advertise a public MCP endpoint. That means inputs you pass to the tools will be transmitted to the remote QuantOracle service (and may be billed after the free tier). The README does mention pricing and a backend URL, but it may not be obvious to non-technical users that computations are performed remotely and that potentially sensitive financial inputs are transmitted off-host.
Install Mechanism
No arbitrary downloads or extract steps; typical Node package (npx quantoracle-mcp) / npm distribution. The package.json and package-lock.json use standard npm registry dependencies. Runtime does perform network fetches (fetching openapi.json and proxying tool calls) to the configured backend.
Credentials
Registry metadata lists no required env vars. The code reads optional env vars: BACKEND_URL, PORT, FREE_DAILY_LIMIT, and WALLET_ADDRESS. A config-schema.json exposes 'backend_url' and 'daily_limit', but the code expects BACKEND_URL and FREE_DAILY_LIMIT environment names (naming mismatch). No secrets/keys are requested. Requiring no credentials is proportional, but you should be aware these environment flags control where data is sent and rate limits.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It runs a Node process (local server) when invoked and keeps in-memory rate-limiting state; it does not persist or modify other skills' configurations.
Assessment
This package implements a local MCP server that forwards tool calls to QuantOracle's backend (api.quantoracle.dev) and enforces a free-tier limit; your inputs (option parameters, portfolio data, strategy details, etc.) will be sent to that remote service. If you need computations to run entirely locally or will send sensitive/private strategy data, consider self-hosting the backend (override BACKEND_URL) or avoid using the hosted endpoint. Note the config-schema keys (backend_url, daily_limit) don't exactly match the environment variable names the code reads (BACKEND_URL, FREE_DAILY_LIMIT) — verify and set env vars explicitly if you run it. Also review billing/pricing details (free 1,000 calls/day then pay-per-call) so you don't unexpectedly incur costs. If you want extra safety, run the package in an isolated environment or inspect the runtime handlers that proxy calls to the backend before granting it access to sensitive inputs.dist/index.js:7
Environment variable access combined with network send.
src/index.ts:14
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk97a81jq5nke6v0ess1ds3957984chsn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsnode