ClawHub

Mx Data

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a coherent read-only financial data lookup skill, but users should note it requires an API key and sends query text to a disclosed external API.

Before installing, confirm you trust the disclosed Meixiang financial data endpoint, configure MX_APIKEY securely, and avoid sending confidential non-financial information in queries. The provided artifacts otherwise show a purpose-aligned, read-only financial data lookup skill.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

The agent may use the configured Meixiang API key and any quota or access associated with it when answering financial data questions.

Why it was flagged

The skill uses a service API key to authenticate requests. This is expected for the financial data service, but it is still credential use that users should notice.

Skill content
将 API key 写入环境变量 `MX_APIKEY` ... --header "apikey:${MX_APIKEY}"
Recommendation

Store the API key securely as an environment variable, avoid pasting it into chat, use a least-privilege key if available, and rotate it if exposed.

Low
#ASI02: Tool Misuse and Exploitation
What this means

Financial query text is transmitted to the provider endpoint to retrieve data.

Why it was flagged

The documented workflow sends the user's query text to a remote API via curl. This is central to the skill and appears read-only, but it is an external API/tool operation.

Skill content
curl -X POST --location 'https://mkapi2.dfcfs.com/finskillshub/api/claw/query' ... --data '{"toolQuery": "<YOUR_QUERY>"}'
Recommendation

Only submit queries appropriate for that provider, and use specific filters or date ranges to reduce unnecessary data sharing and oversized responses.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

The installer or registry view may not warn users up front that they need curl and an API key before using the skill.

Why it was flagged

These prerequisites are disclosed in the skill text, but the registry metadata says there are no required environment variables, binaries, or primary credential. This is an under-declaration rather than hidden execution.

Skill content
将 API key 写入环境变量 `MX_APIKEY` ... 本地需安装 `curl`
Recommendation

Treat MX_APIKEY and curl as required setup, and update the skill metadata to declare the credential and binary dependency.