iFind http API
v1.0.0Use a local Python wrapper around the official iFinD QuantAPI HTTP endpoints on quantapi.51ifind.com. Use when the user wants iFinD market, macro, fund, code...
⭐ 1· 267·0 current·0 all-time
byYann Long@yannlong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description promise a local Python wrapper for iFinD/QuantAPI (quantapi.51ifind.com). The repository includes a clear wrapper (scripts/ifind_api.py), a CLI (ifind_request.py), token storage helper, and reference docs that all match that purpose. No unrelated cloud providers, unrelated binaries, or surprising capabilities are present.
Instruction Scope
SKILL.md restricts action to checking/setting a refresh_token, installing requests, and running the provided scripts; it documents preferred token-acquisition via the browser or iFinD client. This is within scope for accessing the API but does instruct using a browser/agent-driven flow to read the user's account page for a refresh_token — which is sensitive and should only be allowed with explicit user consent and minimal browsing. The instructions explicitly avoid printing the token or pasting it into chat, which is good.
Install Mechanism
No install spec or remote downloads; the skill is instruction-only and bundles Python source plus a pinned requirements.txt (requests). Risk is low: dependencies are standard (requests) and nothing is pulled from arbitrary URLs or executed automatically during install.
Credentials
The skill legitimately needs a sensitive refresh_token to call the iFinD API and both code and SKILL.md reference the IFIND_REFRESH_TOKEN environment variable and a local credential file. However, the registry metadata lists no required environment variables or primary credential — an omission that can mislead users about the need to supply/store a secret. The requested secret (refresh_token) is proportionate to the functionality, but it is sensitive and the metadata should declare it.
Persistence & Privilege
The skill writes only its own credential file under ~/.openclaw/skills/ifind/credentials.json and attempts to tighten file permissions to owner read/write (600). always:true is not set and the skill does not modify other skills or system-wide settings. That level of persistence is appropriate for storing an API refresh token.
Assessment
This skill appears to do what it says (local wrapper for iFinD). Before installing: (1) be aware you must provide a sensitive iFinD refresh_token — prefer setting IFIND_REFRESH_TOKEN in your environment for ephemeral use or allow the token-store script to write to ~/.openclaw/skills/ifind/credentials.json and verify its permissions (should be 600). (2) Only allow any browser automation or agent-driven browsing to read the account page with explicit consent — this flow can access your logged-in session and is sensitive. (3) Confirm the BASE_URL (quantapi.51ifind.com) is expected and that you trust the skill source (source is unknown). (4) If you have doubts, run the scripts locally yourself (inspect files) rather than granting the agent autonomous browser access, and consider running in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97br7cvpzt7rsqtxem09hgtk182ywd9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.