QuantClaw Data
PassAudited by ClawScan on May 10, 2026.
Overview
The artifacts describe a financial-data integration with no clear malicious behavior, but using it depends on external code, unpinned dependencies, and an optional MCP server that were not included for review.
This appears reasonable if you trust the linked project. Use an isolated Python environment, inspect the GitHub repository and MCP server before enabling them, and remember that the submitted artifacts do not include the actual application code for review.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The behavior you get may change if the remote repository or dependency versions change.
The setup depends on a remote repository and unpinned PyPI packages, so the actual code and dependency versions used at install time may differ from what was reviewed.
git clone https://github.com/yoniassia/quantclaw-data.git ... pip install yfinance numpy scipy pandas statsmodels pandas-datareader requests beautifulsoup4
Clone only from a trusted source, inspect the repository before running it, use a virtual environment, and pin dependency versions when possible.
If enabled, your agent may be able to call a broad financial-data tool server.
The skill offers an MCP server that would expose many tools to an agent, but the MCP server implementation and tool permissions are not included in the submitted artifacts.
"MCP (210 tools)" ... "Add to your MCP config" ... "command": "node", "args": ["mcp-server.js"], "cwd": "/path/to/quantclaw-data"
Only add the MCP server after reviewing its code and configure it for trusted clients with the minimum needed permissions.