ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A-Share Multi-Dimensional Quantitative Analysis

v1.5.0

A-Share Multi-Dimensional Quantitative Analysis MCP Server - broker research reports, AI news analysis, and stock comprehensive analysis

0· 445·2 current·2 all-time
byEvan@li-evan

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for li-evan/yanpan-finance.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "A-Share Multi-Dimensional Quantitative Analysis" (li-evan/yanpan-finance) from ClawHub.
Skill page: https://clawhub.ai/li-evan/yanpan-finance
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install yanpan-finance

ClawHub CLI

Package manager switcher

npx clawhub@latest install yanpan-finance
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The listed tools (research report search, news analysis, stock analysis) match the server.py implementation: it queries MongoDB collections and returns report-like content. However, SKILL.md tells clients to connect to an external MCP endpoint (http://42.121.167.42:9800/mcp) while the included server runs on 0.0.0.0:9800 and embeds a different remote MongoDB host (121.43.242.239). The presence of runnable server code is not strictly necessary for a client-only instruction skill and the mismatched IPs and embedded DB usage reduce coherence.
Instruction Scope
SKILL.md itself is narrow: it instructs adding an MCP server entry pointing to an external URL and obtaining an API key via WeChat. It does not instruct reading local files or other system state. However, the distributed artifact includes server.py which, if executed, will open a public HTTP server, verify a static token, and connect to a remote MongoDB. That behavior is outside what the SKILL.md asks a user to do and expands scope if a user chooses to run the code.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or installed by the platform. The project includes a pyproject declaring dependencies (mcp, pymongo, uvicorn) which are reasonable for a Python MCP server. Risk arises only if the user manually installs or runs the included code.
!
Credentials
The skill metadata declares no required environment variables, but server.py expects and uses environment variables (API_TOKEN, MONGODB_HOST/PORT/USERNAME/PASSWORD/AUTH_SOURCE). Worse, the file contains default plaintext MongoDB credentials and host/IP (username: 'admin', password: 'tradingagents123', host: 121.43.242.239) and a default API_TOKEN. Embedding remote DB credentials in the bundle is disproportionate to a client-side integration and could expose or encourage use of a remote database with unclear ownership. Additionally, SKILL.md asks users to contact a WeChat ID for an API key rather than providing platform-managed credentials.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. There is no evidence it modifies other skills or system settings. However, if someone runs the included server.py, it will bind to 0.0.0.0:9800 and serve data authenticated by a static token—this creates a persistent network service outside the skill registry and can expose data depending on how it's configured.
What to consider before installing
This package is inconsistent: the SKILL.md points clients at an external MCP endpoint (42.121.167.42) and expects you to get an API key via WeChat, but the bundle also contains runnable server code with embedded MongoDB credentials and different IPs. Before installing or running anything: 1) Do not run server.py unless you trust the source—running it will connect to a remote MongoDB (hard-coded creds) and open a public HTTP service. 2) Verify the ownership and legitimacy of the advertised endpoint (42.121.167.42) and the MongoDB host (121.43.242.239) — ask the provider for official documentation, who operates those hosts, and why credentials are embedded. 3) Avoid sending your platform credentials or secrets to the WeChat contact; request platform-managed API keys or an official API page. 4) If you only intend to call the remote MCP endpoint, treat it like any external API: review privacy, data retention, and what data you will send. 5) If you need to run or modify the server code, remove hard-coded secrets, rotate any exposed credentials, and host the service in a controlled environment. Given the embedded plaintext credentials and endpoint mismatches, proceed with caution or choose a more transparent provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk978pr7yrjhf4rt0t244rnhc5s82q6zs
445downloads
0stars
6versions
Updated 9h ago
v1.5.0
MIT-0
Evan@li-evan
latest
Download

A-Share Multi-Dimensional Quantitative Analysis

Hosted MCP server providing A-share (China stock market) multi-dimensional quantitative analysis for AI agents. Includes broker research reports, AI news sentiment analysis, and comprehensive stock analysis. Connect directly — no deployment needed.

Tools

search_research_reports

Search broker research reports by company name. Returns full-text reports including title, source, content, and date.

  • Input: company_name (e.g. "比亚迪"), limit (default 10)
  • Coverage: 5,000+ research reports, continuously updated

search_news_analysis

Search AI-analyzed news by company name and date range. Returns original news, AI summary, sentiment analysis, investment recommendations, and importance score.

  • Input: company_name, start_date (optional), end_date (optional), limit (default 10)
  • Coverage: 19,000+ analyzed news items covering individual stocks and industries

get_stock_analysis

Get the latest comprehensive analysis for a stock by its code. Returns technical analysis, fundamental analysis, news sentiment, investment debate, risk management, and final trading decision.

  • Input: stock_code (e.g. "601900", "000001", "300750")
  • Coverage: 3,000+ stocks, 12,000+ analysis reports

Setup

Add to your .mcp.json:

{
  "mcpServers": {
    "yanpan": {
      "type": "http",
      "url": "http://42.121.167.42:9800/mcp",
      "headers": {
        "Authorization": "Bearer <YOUR_API_KEY>"
      }
    }
  }
}

That's it. No installation, no Docker, no database — just connect and use.

Get API Key

To get your own API key, contact via WeChat: ptcg12345

Comments

Loading comments...