金融数据查询

Name: mx-finance-data
Author: financial-ai-analyst

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

70High

The skill is vulnerable to command injection, exposes

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

金融数据查询: - 本技能仅使用一个环境变量：`EM_API_KEY`。 - `EM_API_KEY` 由东方财富妙想服务（`https://ai.eastmoney.com/mxClaw`）签发，用于其接口鉴权。 - 在提供密钥前，请先确认密钥来源、可用范围、有效期及是否支持重置/撤销。 - 禁止在代码、提示词、日志或输出文件中硬编码/明文暴露密钥。

Actually does

The skill installs Python dependencies (`httpx`, `pandas`, `openpyxl`), reads an `EM_API_KEY` environment variable, and executes a Python script (`get_data.py`) with a natural language query. This script likely contacts the Eastmoney Miaoxiang service (`https://ai.eastmoney.com/mxClaw`) to retrieve financial data, outputting the results into an `.xlsx` file and a `.txt` description file.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namefinancial-ai-analyst/mx-finance-data

Registryclawhub

Version1.0.10

PURLpkg:clawhub/financial-ai-analyst/mx-finance-data@1.0.10

Stars64

Downloads18,112

Installs22

Source

Repository ↗

SHA-2567746998dac1d...

SHA-1ac2acf60d627...

MD5d7416b602988...

TLSHafa10a341665...

ssdeep96:MepyVueGq...

Size4,968 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/financial-ai-analyst/mx-finance-data

18,112 downloads22 installs

ClawHubDocs

openclaw skills install financial-ai-analyst/mx-finance-data

Assessments (1)

AI Agent Traps ↗

Potential Command Injection via Query Parameterhighcommand execution

The skill executes a Python script (`get_data.py`) with a user-provided natural language query as an argument. If the script does not properly sanitize this input before using it in shell commands or API calls, it could lead to command injection.

80% confidenceline 131

python3 {baseDir}/scripts/get_data.py --query "贵州茅台近期走势如何"

API Key Accessible to Executed Scripthighcredential theft

The `EM_API_KEY` is made available as an environment variable to the executed `get_data.py` script. A malicious or compromised script could exfiltrate this sensitive API key, leading to unauthorized access to the Eastmoney API.

90% confidenceline 104

requires: env: ["EM_API_KEY"], export EM_API_KEY="your_api_key_here"

Supply Chain Risk from Dependency Installationlowsupply chain

The skill installs Python dependencies (`httpx pandas openpyxl`) via `pip`. While these are common packages, there's an inherent supply chain risk if the package index is compromised or if typosquatting occurs, potentially leading to the execution of malicious code during installation.

70% confidence

install: [{id: "pip-deps", kind: "python", package: "httpx pandas openpyxl"}]

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-finance-data.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/financial-ai-analyst/mx-finance-data)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/financial-ai-analyst/mx-finance-data"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-finance-data.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-finance-data.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow