v1.0.0

Eastmoney Fin Search 1.0.5

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:14 AM.

Analysis

This skill appears to do what it claims: send financial search queries to Eastmoney’s API, use an API key, and save results locally, with only metadata/provenance notes to review.

GuidanceBefore installing, confirm the publisher/version because the metadata is inconsistent, set MX_APIKEY only in a trusted environment, and remember that your financial search queries will be sent to Eastmoney’s API and saved locally as text and JSON results.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

_meta.json

"ownerId": "kn73m56g83j65mv3bjd848j7vn82t04f", "slug": "eastmoney-fin-search", "version": "1.0.5"

The included _meta.json does not match the registry metadata shown in the prompt, which lists a different owner ID, slug, and version. This is a provenance/metadata consistency issue, not evidence of malicious code.

User impactThe package identity and version information are inconsistent, which can make it harder to confirm provenance.

RecommendationVerify the publisher and version in the skill registry before installing, especially if you rely on a specific trusted publisher.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

mx_search.py

self.api_key = api_key or os.getenv("MX_APIKEY")

The code uses an API key from the MX_APIKEY environment variable. This is purpose-aligned and not hardcoded or logged, but users should know the registry summary says no required env vars while the skill itself requires one.

User impactThe skill needs an Eastmoney API key to work, and that key grants access to the associated API service.

RecommendationSet MX_APIKEY only in a trusted environment, keep the key private, and rotate it if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

本 Skill 会将您的查询文本发送至东方财富官方 API 域名 ( `mkapi2.dfcfs.com` ) 以获取金融数据。

The skill clearly discloses that query text is sent to an external provider; this is expected for a search integration but matters if queries contain sensitive financial or business information.

User impactAnything typed into the search query may be sent to Eastmoney’s API.

RecommendationUse the skill only for queries you are comfortable sending to the Eastmoney API, and avoid confidential account, portfolio, or client information unless appropriate.