← 返回 Skills 市场
457
总下载
0
收藏
2
当前安装
6
版本数
在 OpenClaw 中安装
/install yanpan-finance
功能描述
A-Share Multi-Dimensional Quantitative Analysis MCP Server - broker research reports, AI news analysis, and stock comprehensive analysis
安全使用建议
This package is inconsistent: the SKILL.md points clients at an external MCP endpoint (42.121.167.42) and expects you to get an API key via WeChat, but the bundle also contains runnable server code with embedded MongoDB credentials and different IPs. Before installing or running anything: 1) Do not run server.py unless you trust the source—running it will connect to a remote MongoDB (hard-coded creds) and open a public HTTP service. 2) Verify the ownership and legitimacy of the advertised endpoint (42.121.167.42) and the MongoDB host (121.43.242.239) — ask the provider for official documentation, who operates those hosts, and why credentials are embedded. 3) Avoid sending your platform credentials or secrets to the WeChat contact; request platform-managed API keys or an official API page. 4) If you only intend to call the remote MCP endpoint, treat it like any external API: review privacy, data retention, and what data you will send. 5) If you need to run or modify the server code, remove hard-coded secrets, rotate any exposed credentials, and host the service in a controlled environment. Given the embedded plaintext credentials and endpoint mismatches, proceed with caution or choose a more transparent provider.
功能分析
Type: OpenClaw Skill
Name: yanpan-finance
Version: 1.5.0
The skill provides financial analysis tools by connecting to a remote MongoDB instance (121.43.242.239) and references a hosted MCP server (42.121.167.42). While the code aligns with its stated purpose of A-share market analysis, server.py contains hardcoded database credentials ('tradingagents123') and a default API token ('yanpan-mcp-secret-2026'), which are significant security vulnerabilities. These risks appear to be unintentional design flaws for ease-of-use rather than intentional malice.
能力评估
Purpose & Capability
The listed tools (research report search, news analysis, stock analysis) match the server.py implementation: it queries MongoDB collections and returns report-like content. However, SKILL.md tells clients to connect to an external MCP endpoint (http://42.121.167.42:9800/mcp) while the included server runs on 0.0.0.0:9800 and embeds a different remote MongoDB host (121.43.242.239). The presence of runnable server code is not strictly necessary for a client-only instruction skill and the mismatched IPs and embedded DB usage reduce coherence.
Instruction Scope
SKILL.md itself is narrow: it instructs adding an MCP server entry pointing to an external URL and obtaining an API key via WeChat. It does not instruct reading local files or other system state. However, the distributed artifact includes server.py which, if executed, will open a public HTTP server, verify a static token, and connect to a remote MongoDB. That behavior is outside what the SKILL.md asks a user to do and expands scope if a user chooses to run the code.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or installed by the platform. The project includes a pyproject declaring dependencies (mcp, pymongo, uvicorn) which are reasonable for a Python MCP server. Risk arises only if the user manually installs or runs the included code.
Credentials
The skill metadata declares no required environment variables, but server.py expects and uses environment variables (API_TOKEN, MONGODB_HOST/PORT/USERNAME/PASSWORD/AUTH_SOURCE). Worse, the file contains default plaintext MongoDB credentials and host/IP (username: 'admin', password: 'tradingagents123', host: 121.43.242.239) and a default API_TOKEN. Embedding remote DB credentials in the bundle is disproportionate to a client-side integration and could expose or encourage use of a remote database with unclear ownership. Additionally, SKILL.md asks users to contact a WeChat ID for an API key rather than providing platform-managed credentials.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. There is no evidence it modifies other skills or system settings. However, if someone runs the included server.py, it will bind to 0.0.0.0:9800 and serve data authenticated by a static token—this creates a persistent network service outside the skill registry and can expose data depending on how it's configured.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yanpan-finance - 安装完成后,直接呼叫该 Skill 的名称或使用
/yanpan-finance触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.5.0
Update WeChat contact to ptcg12345
v1.4.0
Replace API token with placeholder
v1.3.0
Rename to A-Share Multi-Dimensional Quantitative Analysis; add WeChat contact (wolfking) for API key
v1.2.0
Remove hardcoded token, use YANPAN_API_KEY env variable
v1.1.0
Hosted service mode - connect directly, no deployment needed
v1.0.0
Initial release: 券商研报搜索、新闻分析、股票综合分析 MCP Server
元数据
常见问题
A-Share Multi-Dimensional Quantitative Analysis 是什么?
A-Share Multi-Dimensional Quantitative Analysis MCP Server - broker research reports, AI news analysis, and stock comprehensive analysis. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 457 次。
如何安装 A-Share Multi-Dimensional Quantitative Analysis?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yanpan-finance」即可一键安装,无需额外配置。
A-Share Multi-Dimensional Quantitative Analysis 是免费的吗?
是的,A-Share Multi-Dimensional Quantitative Analysis 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
A-Share Multi-Dimensional Quantitative Analysis 支持哪些平台?
A-Share Multi-Dimensional Quantitative Analysis 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 A-Share Multi-Dimensional Quantitative Analysis?
由 Evan(@li-evan)开发并维护,当前版本 v1.5.0。
推荐 Skills