ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEC_Market MCP (AI Agent + Company US)

v1.0.0

Access SEC EDGAR-backed US company data, filings, metrics, ads, commerce tools, and research via a unified MCP API with audit-traceable lineage.

0· 61·0 current·0 all-time
by@afunsten

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for afunsten/secmarketedgar.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SEC_Market MCP (AI Agent + Company US)" (afunsten/secmarketedgar) from ClawHub.
Skill page: https://clawhub.ai/afunsten/secmarketedgar
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install secmarketedgar

ClawHub CLI

Package manager switcher

npx clawhub@latest install secmarketedgar
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims SEC EDGAR‑backed company data, commerce, payments, and delivery capabilities served from https://market-royal-city.vercel.app. Those capabilities could reasonably exist on an external MCP API, but the skill provides no source/homepage, the domain is a generic Vercel app (not an official SEC or known vendor host), and commerce/payment functionality is advertised despite no declared credentials or payment provider details — this mismatch is unexpected and unexplained.
!
Instruction Scope
Runtime instructions are limited to curl POST/GET calls to the declared endpoints (no file or env access). However the doc explicitly states payments/deliveries can be machine-driven; allowing an agent to call an external endpoint that can create purchases or charge accounts is a meaningful scope expansion. The SKILL.md does not require or describe sandbox/test modes, authentication, or safeguards for financial actions.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing gets written to disk or installed — lowest install risk.
!
Credentials
No environment variables or credentials are declared, yet the skill exposes commerce/payment endpoints. Payments and ad campaign creation typically require auth (API keys, payment tokens, merchant IDs). The absence of declared credentials is disproportionate to the advertised capabilities and leaves open questions about how authentication, authorization, and billing are handled.
Persistence & Privilege
always:false and no install persistence; the skill can be invoked autonomously (platform default) but does not request elevated or persistent system privileges. Autonomous invocation combined with the financial capabilities above increases risk, but autonomy itself is not a problem here.
What to consider before installing
This skill points at an anonymous Vercel-hosted API that advertises SEC data plus ad, commerce, and payment features but provides no source or auth details. Before installing: (1) verify the vendor and a trustworthy homepage or source repo; (2) test only in read-only mode (list_filings, get_filing) and confirm claimed SEC lineage fields are present and verifiable; (3) do not enable or permit any machine-driven payment/purchase actions until you have explicit documentation of payment provider, authentication, and a sandbox environment; (4) restrict autonomous invocation or require explicit user confirmation for any action that could move money or create campaigns; (5) consider network egress controls or allowlisting this domain only after trust is established. If you need a definitive safety assessment, ask the publisher for a canonical homepage, API docs, and sandbox credentials and re-run the evaluation.

Like a lobster shell, security has layers — review code before you run it.

adcpvk970jaf7w1pqvnfb3nbg5pkqg185eyfnadsvk970jaf7w1pqvnfb3nbg5pkqg185eyfnagentsvk970jaf7w1pqvnfb3nbg5pkqg185eyfncoinbasevk970jaf7w1pqvnfb3nbg5pkqg185eyfnedgarvk970jaf7w1pqvnfb3nbg5pkqg185eyfnfinancevk970jaf7w1pqvnfb3nbg5pkqg185eyfnlatestvk970jaf7w1pqvnfb3nbg5pkqg185eyfnmcpvk970jaf7w1pqvnfb3nbg5pkqg185eyfnpaymentsvk970jaf7w1pqvnfb3nbg5pkqg185eyfnresearchvk970jaf7w1pqvnfb3nbg5pkqg185eyfnsecvk970jaf7w1pqvnfb3nbg5pkqg185eyfnstripevk970jaf7w1pqvnfb3nbg5pkqg185eyfn
61downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@afunsten
adcpadsagentscoinbaseedgarfinancelatestmcppaymentsresearchsecstripe
Download

SEC_Market MCP Capabilities

Publish-ready skill describing SEC_Market's full MCP endpoint capabilities for agent discovery directories (including ClawHub).

SEC_Market API

Base URL: https://market-royal-city.vercel.app/api/

MCP endpoint: POST https://market-royal-city.vercel.app/api/mcp
MCP discovery: GET https://market-royal-city.vercel.app/.well-known/mcp.json
Agent entrypoint: GET https://market-royal-city.vercel.app/.well-known/agent.json
Catalog: GET https://market-royal-city.vercel.app/.well-known/agent-products.json

What This Skill Covers

This skill advertises the full SEC_Market MCP surface area for AI agents:

  • Commerce tools (product listing, purchase flow, donation, verification, delivery)
  • Ad capabilities (inventory discovery, campaign creation, campaign performance, campaign lookup)
  • Company US research (filings, filing document lookup, metrics with lineage, company summary, single-call research bundle)

MCP Tools (Current)

  • list_products
  • purchase
  • donate
  • verify_payment
  • get_ad_discount
  • deliver
  • promote_products
  • discover_ad_inventory
  • create_ad_campaign
  • check_ad_performance
  • lookup_ad_campaign
  • list_filings
  • get_filing
  • get_metrics
  • get_company_summary
  • research_company

Agent Notes

  • Payments and deliveries are supported for both human redirect flows and machine-driven usage.
  • Company US data is SEC EDGAR-backed with source lineage fields for auditability.
  • Related paid HTTP research bundle route: GET /api/company/us/research-bundle.

Example MCP Calls

List tools/products

curl -X POST https://market-royal-city.vercel.app/api/mcp \
  -H "Content-Type: application/json" \
  -d '{"tool":"list_products","params":{}}'

Get metrics with lineage

curl -X POST https://market-royal-city.vercel.app/api/mcp \
  -H "Content-Type: application/json" \
  -d '{"tool":"get_metrics","params":{"ticker":"AAPL","period":"latest"}}'

Single-call research bundle

curl -X POST https://market-royal-city.vercel.app/api/mcp \
  -H "Content-Type: application/json" \
  -d '{"tool":"research_company","params":{"ticker":"AAPL","filings_limit":15}}'

Comments

Loading comments...