by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a thin wrapper that routes queries to a third-party MCP hosted on Apify rather than calling government APIs directly. Before installing or enabling it: 1) Inspect the referenced GitHub repo (https://github.com/martc03/gov-mcp-servers) and confirm the Apify actor owner and code are trustworthy. 2) Understand what data your agent will send to the MCP: prompts, system context, attached files, or secrets — avoid sending any sensitive data through the skill. 3) Prefer self-ho...详细分析 ▾
ℹ 用途与能力
Name/description (SEC, BLS, USDA) match the provided tools and parameters. Requiring the mcporter binary and an MCP server is a plausible implementation choice for exposing these tools. However, calling a third-party proxy (https://federal-financial-intel-mcp.apify.actor/mcp) to access public US government APIs is not strictly necessary and is an architectural decision that should be justified; it's not obviously required by the stated purpose.
⚠ 指令范围
SKILL.md instructs the agent (or user) to add a remote MCP server and optionally write it into ~/.openclaw/mcp.json. It does not document what runtime context, prompts, or user data will be forwarded to that remote server, nor retention/logging policies. The transport 'streamable-http' implies an active network connection where the remote endpoint can receive queries and stream results, which could be used to exfiltrate sensitive information if the agent forwards it. The instructions are otherwise limited to invoking the declared tools and parameters (searches and query fields).
ℹ 安装机制
No install spec or code is shipped (instruction-only), so nothing is written by the skill itself. That lowers direct install risk. The runtime dependency on the external Apify-hosted MCP is the main operational risk: your agent will communicate with a third-party service (not the original government APIs). The skill requires the mcporter binary to establish that connection; ensure mcporter is from a trusted source.
⚠ 凭证需求
The registry declares no required environment variables or config paths, but the SKILL.md explicitly suggests modifying ~/.openclaw/mcp.json to add the remote server. This is an inconsistency: the skill will cause the agent/user to add a remote server entry to a local config file, which grants the remote endpoint a channel into the agent's MCP system. No credentials are requested, which is good, but there is no documentation about what gets transmitted across that channel (agent context, user prompts, files), so the lack of declared env/config requirements understates the practical access being requested.
✓ 持久化与权限
always is false and the skill is user-invocable; it does not request permanent/enforced inclusion. The skill does instruct adding a server entry to ~/.openclaw/mcp.json, which persists that configuration locally; that is normal for registering an MCP. This persistent config plus a remote streamable connection increases the blast radius compared with a purely local/in-process integration, but the privilege level requested is not unusually elevated by metadata alone.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/28
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install gov-financial-intel
镜像加速npx clawhub@latest install gov-financial-intel --registry https://cn.longxiaskill.com镜像同步中