cn-funds-mcp
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate China fund/stock data helper, but it stores portfolio/reminder data locally and may proactively check reminders and offer generic investment suggestions.
Before installing, be comfortable with local storage of your fund holdings and reminders, and with queried fund/stock identifiers being sent to EastMoney-style market data APIs. Treat any add/reduce/stop-profit suggestions as generic information, not professional financial advice.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may automatically check reminders and potentially show due finance reminders before unrelated requests.
The skill explicitly instructs the agent to run a tool before responding in every conversation, even when the user asks about something else.
每次对话开始时,必须先调用 `check_reminders` ... 无论用户说了什么,在回复用户之前,先调用 `check_reminders`
Install only if you want this proactive reminder behavior; remove reminders you no longer want and expect the first tool call in a conversation to be check_reminders.
Your fund codes, shares, and cost basis can remain on disk and affect later responses.
The skill stores personal fund holdings persistently and reuses them across sessions for profit calculations and reminders.
持仓数据持久化在 `data/portfolio.json`,跨会话保留
Only save portfolio details you are comfortable storing locally; review or delete the data files if you no longer want the skill to remember them.
The assistant may influence investment decisions even though it cannot trade for you.
The skill tells the agent to provide investment-style suggestions based on simple thresholds.
对每只基金给出操作建议:... 可考虑适当加仓 ... 可考虑部分止盈 ... 建议评估是否继续持有
Treat these suggestions as informational only and verify with your own research or a qualified financial adviser before acting.
Installation may depend on the current npm resolution rather than an exact locked dependency version.
The npm dependency uses a caret range, so a future install may resolve to a newer SDK version than the one originally tested.
"dependencies": { "@modelcontextprotocol/sdk": "^1.12.1" }Prefer installing from a trusted source with a lockfile or pin the dependency version if you need reproducible behavior.