Jinjiancheng Skill

PassAudited by ClawScan on May 15, 2026.

Overview

This is an instruction-only investment-analysis skill with disclosed market-data searches and optional Longbridge integration, but no code, credentials, trading execution, or hidden persistence.

This skill appears safe to install from a security perspective, but it is financially consequential. Use it as an investment-analysis framework, verify market data independently, do not share unnecessary private portfolio details, and only enable the optional Longbridge MCP connection if you trust that provider and understand its permissions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

Users may rely on the agent's confident investment framing when deciding whether to buy, sell, or rotate assets.

Why it was flagged

The skill is explicitly designed to provide action-oriented investment guidance, which can influence real financial decisions even though it does not execute trades.

Skill content

它更像一个成熟投资顾问的思考模板，专门用来判断：

- 现在更适合买什么，不该买什么
- 某只美股或 ETF 该等回调、分批接，还是逢高减

Recommendation

Treat outputs as analysis support, not licensed financial advice; verify current data, suitability, and risk before making trades.

Info

#ASI02: Tool Misuse and Exploitation

What this means

Questions about stocks or portfolios may cause the agent to query web or market-data tools for current information.

Why it was flagged

The skill instructs the agent to use search tools before giving investment advice; this is disclosed and aligned with the purpose, but it means invocations may trigger external research calls.

Skill content

搜索是前置条件，不可跳过。搜索不可用时，提示用户补充信息再给条件式建议。

Recommendation

Avoid including unnecessary private financial details in search queries, and confirm that any tool use is appropriate for the question.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If enabled, the agent may communicate with Longbridge's MCP service for market data, and any provider permissions or account scopes depend on the user's configuration.

Why it was flagged

The artifact suggests adding an external Longbridge MCP provider for real-time quotes; this is disclosed and user-directed, but it creates a provider communication path whose permissions should be understood.

Skill content

`claude mcp add --transport http longbridge https://openapi.longbridge.com/mcp`

Recommendation

Only add the MCP server if you trust the provider and understand what data and permissions it can access.