by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's runtime instructions are coherent for a Meixiang stock‑screening integration, but the package metadata omits the MX_APIKEY and curl requirement and the source/homepage are unknown — this mismatch and lack of provenance are concerning.
评估建议
Before installing, note these points: (1) SKILL.md requires an API key (MX_APIKEY) and curl, but the skill metadata does not declare them — ask the publisher to correct the metadata so you know a secret will be used. (2) The skill will send your MX_APIKEY to https://mkapi2.dfcfs.com; only provide a key if you trust Meixiang and that domain. (3) There is no homepage or verified source listed — prefer skills with clear publisher pages or docs. (4) The skill is instruction-only (no install), so it ...详细分析 ▾
ℹ 用途与能力
The SKILL.md describes a Meixiang (妙想) stock‑screening integration and the described API calls match the stated purpose. However, the registry metadata declares no required environment variables or binaries while the instructions explicitly require an API key (MX_APIKEY) and curl — an inconsistency between claimed requirements and actual needs.
✓ 指令范围
Instructions are narrowly scoped to forming a JSON query, POSTing to the stated endpoint (https://mkapi2.dfcfs.com/finskillshub/api/claw/stock-screen), parsing the JSON response, and converting results to CSV/column docs. The instructions do not direct the agent to read unrelated local files or exfiltrate data to other endpoints. The one scope issue is the unspecified conversion scripts (left to implement), which grants implementation freedom but not clearly excessive privilege.
✓ 安装机制
There is no install spec and no code files (instruction‑only), so nothing is written to disk by an installer. This is a low install risk. Note: SKILL.md expects curl to be available; the registry lists no required binaries, which is an omission in metadata rather than an active install risk.
⚠ 凭证需求
The runtime instructions require a single API credential (MX_APIKEY) passed in an HTTP header — that is proportionate to the service. But the skill metadata incorrectly lists no required env vars / primary credential. This mismatch can hide the fact that a secret (your MX_APIKEY) will be used/sent to mkapi2.dfcfs.com, and the skill has no declared owner homepage to verify where API keys should be obtained from.
✓ 持久化与权限
The skill is not always-enabled, requests no filesystem config paths, and does not modify other skills or system settings. Autonomous model invocation is allowed (platform default) but is not combined with broad credentials or persistent privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/14
mx-select-stock 1.0.0 – Initial Release - Provides stock screening via the Meixiang (妙想) smart API for A shares, HK stocks, and US stocks. - Allows filtering by user-specified indicators, industries, or sectors. - Returns screened stock data as a complete CSV with Chinese column headers and attaches a description file explaining each column. - Avoids outdated financial information by ensuring all data is up to date. - Includes step-by-step usage instructions, example queries, and output formatting guidelines.
● 无害
安装命令 点击复制
官方npx clawhub@latest install mx-select-stock
镜像加速npx clawhub@latest install mx-select-stock --registry https://cn.clawhub-mirror.com
技能文档
Overview
This skill enables safe, up‑to‑date stock screening using the Meixiang (妙想) stock‑screening service. It supports custom filters on market, financial indicators, and sector/category constraints, returning a full data table (CSV) with Chinese column headers and a supplemental description file.Prerequisites
- Obtain an API key from the Meixiang Skills page.
- Export the key to the environment variable
MX_APIKEY:
export MX_APIKEY="your_api_key_here"
- Ensure
curlis installed (standard on macOS).
Usage Steps
- Formulate the query – translate the user’s natural‑language request into a JSON payload containing at least:
keyword – the screening condition (e.g., "今日涨幅2%的股票")
- pageNo – page number (default 1)
- pageSize – number of rows per page (max 100, adjust as needed)
- Execute the POST request:
curl -X POST \
--location 'https://mkapi2.dfcfs.com/finskillshub/api/claw/stock-screen' \
--header 'Content-Type: application/json' \
--header "apikey:${MX_APIKEY}" \
--data '{"keyword":"","pageNo":1,"pageSize":20}'
- Parse the JSON response – important fields:
status / message – overall request success.
- data.code / data.msg – business‑level status.
- data.data.result.columns – column definitions.
- data.data.result.dataList – rows of stock data.
- responseConditionList – condition statistics.
- Transform column titles – map each
keyto its Chinesetitlefrom thecolumnsarray, then build a CSV where the header line uses the Chinese titles. - Save output (optional):
# Save raw JSON
curl ... > mx_select_stock_raw.json
# Save CSV