ClawHub

cn-funds-mcp

v1.0.1

China fund & stock data assistant (free API, no API key required). Query fund valuation, NAV, holdings, manager info, stock/index quotes, market capital flow...

1· 167·0 current·0 all-time
by@smallke
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the code calls EastMoney/1234567 endpoints to fetch fund, stock, market and manager data and exposes portfolio and reminder management. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md requires calling check_reminders at each conversation start and supports importing screenshots via OCR (if the model supports image input). This is consistent with reminder/portfolio features, but it encourages uploading sensitive finance screenshots (personal holdings) which will be parsed and stored locally.
Install Mechanism
There is no install spec in the registry (instruction-only), and package.json only depends on @modelcontextprotocol/sdk. No downloads from untrusted URLs or extract/install steps are present in the manifest.
Credentials
The skill requires no environment variables or external credentials — only network access to public EastMoney/1234567 endpoints. It persistently stores user data in a local data/ directory (data/portfolio.json and data/reminders.json); no secrets are requested.
Persistence & Privilege
always:false (no forced global presence). The skill persists reminders and portfolios to files under its data/ directory and will check reminders at conversation start per SKILL.md. This is expected but means sensitive holdings are kept on disk in plaintext JSON.
Assessment
This skill appears internally consistent and implements what it advertises, but review the following before installing: - Privacy: the skill asks users to upload screenshots for OCR-based import and stores holdings/reminders in data/portfolio.json and data/reminders.json in the skill folder (plain JSON). If those files contain sensitive financial data, ensure the runtime environment has appropriate file permissions or run the skill in a sandbox. - Network endpoints: it fetches data from eastmoney and 1234567 domains (public Chinese finance APIs). If you require stricter data provenance, verify those endpoints yourself and/or inspect responses. - Dependency review: package.json depends on @modelcontextprotocol/sdk; prefer installing from a controlled environment and verify the package version before running. - Test with dummy data first: add sample holdings to confirm behavior and to see where files are written and what reminders trigger. If you are uncomfortable storing real holdings or uploading screenshots, do not use the OCR import and/or run the skill in an isolated container or VM.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mhwyqngfmpq9gb3ay898bn83585x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments