iFind http API
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ifind Version: 1.0.0 The skill bundle provides a legitimate Python wrapper and CLI for the iFinD QuantAPI (quantapi.51ifind.com). It includes well-structured scripts for managing API tokens and querying financial data, with clear documentation in SKILL.md and the references directory. Security practices are observed, such as restricting credential file permissions to the owner (600) in ifind_token_store.py and providing explicit instructions to the agent to avoid echoing sensitive tokens in chat or logs.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could gain ongoing access to the user's iFinD API account through the refresh token, and the token could be exposed through command/tool logs or process arguments if handled carelessly.
This directs the agent to use an existing authenticated browser session to obtain a long-lived provider credential and store it locally. That is purpose-aligned for iFinD API access, but it is high-impact account authority and lacks a clear user-consent gate before reading an already-logged-in session.
log in with the user's existing session ... locate the `refresh_token` ... `python3 scripts/ifind_token_store.py set --token '<TOKEN>'`
Require explicit user approval before accessing the account page or reading the token, declare the credential requirement in metadata, and prefer a safer secret-entry mechanism such as a secret store or stdin prompt rather than a command-line token argument.
A mistaken or overly broad raw endpoint call could consume API quota or perform unintended iFinD account/API actions if such endpoints exist.
The CLI supports a raw endpoint mode that sends arbitrary JSON payloads to a user-specified iFinD API endpoint under the stored token. This fits the wrapper purpose, but it is broader than the safer preset commands.
endpoint.add_argument('endpoint') ... payload = json.loads(args.payload) ... return api._call_api(args.endpoint, payload)Prefer the preset commands for routine use, and require the user to review and approve raw endpoint names and payloads before calling them.
Installing dependencies may pull a newer version of requests than the author tested.
The dependency is specified with a lower bound rather than an exact version pin, so a future package version may be installed. The install step is user-directed and the dependency is purpose-aligned.
requests>=2.31.0
Install in a virtual environment and consider pinning an exact requests version if reproducibility is important.