选股 / 选板块 / 选基金

Name: mx-stocks-screener
Author: financial-ai-analyst

Share on X Share on LinkedIn Share on Bluesky

70High

The skill is vulnerable to prompt injection via user queries and path traversal through an insecure output directory, risking data manipulation and system compromise.

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

选股 / 选板块 / 选基金: 通过**自然语言查询**进行选股，数据来自于妙想大模型服务，支持以下类型： - **A股**、**港股**、**美股** - **基金**、**ETF**、**可转债**、**板块**

Actually does

This skill executes a Python script (`get_data.py`) to query the Eastmoney Miaoxiang service API (`https://ai.eastmoney.com/mxClaw`) using a provided `EM_API_KEY`. It takes natural language queries and asset types as input, then outputs the results as local CSV and description text files. It requires `httpx` to be installed.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction1 finding

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namefinancial-ai-analyst/mx-stocks-screener

Registryclawhub

Version1.0.14

PURLpkg:clawhub/financial-ai-analyst/mx-stocks-screener@1.0.14

Stars85

Downloads20,738

Installs30

Source

Repository ↗

SHA-25644d117a80195...

SHA-1d643ce860171...

MD534dbb0f56d76...

TLSHddb108380c33...

ssdeep96:BgI52KesQ...

Size5,511 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/financial-ai-analyst/mx-stocks-screener

20,738 downloads30 installs

ClawHubDocs

openclaw skills install financial-ai-analyst/mx-stocks-screener

Assessments (2)

AI Agent Traps ↗

Prompt Injection via user-controlled queryhighprompt injection

The skill accepts a user-controlled natural language query (`--query` parameter) which is processed by an underlying large language model service. This input can be exploited for prompt injection to manipulate the model's behavior, extract unintended information, or bypass security controls.

90% confidenceline 48

python3 {baseDir}/scripts/get_data.py --query "..." --select-type A股
数据来自于妙想大模型服务

Output directory manipulation risklowresource abuse

The `MX_STOCKS_SCREENER_OUTPUT_DIR` environment variable allows users to specify an arbitrary output directory. Without proper path validation, this could potentially be abused for path traversal or to write files to unintended system locations, leading to resource abuse or data overwrite.

60% confidenceline 167

export MX_STOCKS_SCREENER_OUTPUT_DIR="/path/to/output"

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-stocks-screener.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/financial-ai-analyst/mx-stocks-screener)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/financial-ai-analyst/mx-stocks-screener"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-stocks-screener.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/financial-ai-analyst/mx-stocks-screener.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow