ClawHub

Eastmoney Financial Search

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated Eastmoney financial-news search purpose, with disclosed third-party API use, a bundled/default API key, and local result-file creation as the main things to notice.

This appears safe for its stated purpose if you are comfortable sending financial-search queries to Eastmoney. Consider setting your own EASTMONEY_APIKEY, avoid sensitive personal or confidential details in queries, and remember that successful runs may save result files locally.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Requests may be authenticated with a bundled/shared provider key unless the user supplies their own EASTMONEY_APIKEY.

Why it was flagged

The skill uses a credential-like API key, including a hardcoded default, to access the Eastmoney API. This is expected for the service integration but should be visible to users.

Skill content
apikey = os.environ.get("EASTMONEY_APIKEY", "mkt_Z19TUfMY79_44k4wZsAHIVGVva0-g8PxD_DkBDQx2iM")
Recommendation

Use your own Eastmoney API key if available, and treat the bundled key as a provider-access detail rather than a private user credential.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Financial queries, including any personal or confidential details included in them, are transmitted to Eastmoney's API.

Why it was flagged

The user's query and API key are sent to an external Eastmoney endpoint. This is disclosed and aligned with the search purpose, but it means query text leaves the local environment.

Skill content
url = "https://mkapi2.dfcfs.com/finskillshub/api/claw/news-search" ... data = {"apikey": apikey, "query": query}
Recommendation

Avoid including sensitive personal, account, or confidential business details in search queries unless you are comfortable sending them to the provider.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

Running the script can leave local text files containing the user's query and returned financial information.

Why it was flagged

The script writes successful query results to a timestamped text file in the current working directory. This is a scoped, purpose-aligned output behavior, but users should expect local files to be created.

Skill content
save_to_file(query, result) ... with open(full_filename, "w", encoding="utf-8-sig") as f:
Recommendation

Run it from an appropriate working directory and delete saved result files if you do not want them retained.