ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mx Search

v1.0.0

Retrieve timely, authoritative financial news, announcements, research reports, policies, and other finance‑related information using the Meixiang (妙想) searc...

0· 693·41 current·41 all-time
by@xpmars
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a focused financial search skill that calls a Meixiang (妙想) API; the described capability coheres with the name and description. However, the registry metadata lists no required environment variables or binaries while the instructions explicitly require MX_APIKEY and curl — an inconsistency between declared requirements and actual runtime needs.
Instruction Scope
The instructions are narrowly scoped to constructing a query, POSTing JSON to the Meixiang endpoint, parsing the JSON fields, and optionally saving results to a local file. The skill does not instruct the agent to read unrelated files, harvest other environment variables, or transmit data to unexpected endpoints beyond the stated API.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lowest install risk). The only runtime dependency mentioned is curl (standard on many systems); the package metadata should have declared that, but no packages or downloads are requested by the skill itself.
!
Credentials
The SKILL.md requires an API key provided via MX_APIKEY, but the registry metadata declares no required env vars or primary credential. That mismatch is concerning because users and the platform won't be informed programmatically that a secret is needed. The skill requests only one credential (MX_APIKEY), which is proportionate to the described function if declared correctly.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install steps that persist code or credentials. Its optional suggestion to save JSON to the current directory is a user action and not a hidden persistence mechanism.
What to consider before installing
This skill appears to perform Meixiang financial searches as described, but the package metadata does not declare the MX_APIKEY env var or the curl dependency that the SKILL.md requires. Before installing or using it: 1) verify the API host (https://mkapi2.dfcfs.com) and the origin/trustworthiness of Meixiang; 2) only provide an API key with appropriate, limited permissions and consider using an ephemeral or read-only key; 3) confirm where results are stored and avoid placing sensitive credentials in shared shell profiles; and 4) prefer skills whose registry metadata explicitly lists required credentials and binaries. The inconsistencies likely reflect sloppy packaging rather than malware, but exercise caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6d1r5afwr4c3he4wc5ng4h82wrgg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments