ClawHub

Mx Finance Data 1.0.8

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent finance-data query skill, but it uses an Eastmoney API key, sends queries to Eastmoney, and installs unpinned Python packages.

Install only if you trust the publisher and Eastmoney service, use a revocable EM_API_KEY, and avoid including confidential investment or client information in natural-language queries.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the skill may fetch the latest available versions of these packages, so behavior could change if dependencies change upstream.

Why it was flagged

The skill asks the user/platform to install unpinned Python dependencies. This is common for a Python data tool, but dependency versions are not fixed.

Skill content
pip3 install httpx pandas openpyxl --user
Recommendation

Install in a virtual environment where possible and prefer pinned dependency versions from a trusted package index.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The key may identify the user to Eastmoney and may consume quota or carry account permissions for that service.

Why it was flagged

The script reads an Eastmoney API key from the environment and places it in the API request context as the user identity.

Skill content
EM_API_KEY = os.environ.get("EM_API_KEY", "") ... "userId": EM_API_KEY
Recommendation

Use a scoped, revocable API key, keep it out of prompts/logs/output files, and rotate it if it may have been exposed.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Financial entities, strategies, or research questions included in the query may be visible to the remote provider.

Why it was flagged

The user’s natural-language financial query is sent to an Eastmoney remote API endpoint, which is expected for this provider-backed skill.

Skill content
DEFAULT_SEARCH_API_URL = "https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchData" ... "query": query
Recommendation

Avoid putting confidential client, trading, or proprietary strategy information into queries unless sharing it with Eastmoney is acceptable.