StockToday MCP Security Report — Low Risk | ClawSafe

15 /100

StockToday MCP

股票数据 MCP 服务器，提供 155+ Tushare API 接口

A legitimate stock market data MCP server that proxies requests to a custom backend, with no malicious behavior detected beyond using a non-official Tushare backend.

Skill NameStockToday MCP

Duration31.6s

Enginepi

✓

Safe to install

This skill is safe for use. However, verify the trustworthiness of https://tushare.citydata.club/ before deployment, as it replaces the official Tushare API.

Findings 2 items

Severity	Finding	Location
Low	Non-official Tushare backend Doc Mismatch The skill claims to use Tushare API but actually proxies to a custom backend at tushare.citydata.club. While documented in SKILL.md, this is a significant deviation from the implied Tushare branding. 使用自定义后端服务: `https://tushare.citydata.club/` → Ensure the custom backend is trustworthy and has proper data handling policies.	`SKILL.md:38`
Info	Hardcoded test token in test file Sensitive Access test_all.js contains a hardcoded token 'citydata' for testing purposes. This is acceptable for a test file but should not be used in production. `const TOKEN = 'citydata';` → Remove or secure the test token and rely on environment variables in production.	`test_all.js:97`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	src/index.ts:25 - fetch calls to external API
Environment	`READ`	`READ`	✓ Aligned	src/index.ts:6 - reads STOCKTODAY_TOKEN from env
Filesystem	`NONE`	`NONE`	—	No file system access in src/index.ts

108 findings

🔗

Medium External URL 外部 URL

https://tushare.citydata.club/

SKILL.md:38

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@hono/node-server/-/node-server-1.19.11.tgz

package-lock.json:22

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz

package-lock.json:34

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/node/-/node-20.19.37.tgz

package-lock.json:74

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/accepts/-/accepts-2.0.0.tgz

package-lock.json:84

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ajv/-/ajv-8.18.0.tgz

package-lock.json:97

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ajv-formats/-/ajv-formats-3.0.1.tgz

package-lock.json:113

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz

package-lock.json:130

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/axios/-/axios-1.13.6.tgz

package-lock.json:136

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/body-parser/-/body-parser-2.2.2.tgz

package-lock.json:147

🔗

Medium External URL 外部 URL

https://opencollective.com/express

package-lock.json:166

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz

package-lock.json:171

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

package-lock.json:180

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bound/-/call-bound-1.0.4.tgz

package-lock.json:193

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz

package-lock.json:209

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/content-disposition/-/content-disposition-1.0.1.tgz

package-lock.json:221

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/content-type/-/content-type-1.0.5.tgz

package-lock.json:234

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cookie/-/cookie-0.7.2.tgz

package-lock.json:243

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cookie-signature/-/cookie-signature-1.2.2.tgz

package-lock.json:252

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cors/-/cors-2.8.6.tgz

package-lock.json:261

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cross-spawn/-/cross-spawn-7.0.6.tgz

package-lock.json:278

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz

package-lock.json:292

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz

package-lock.json:309

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/depd/-/depd-2.0.0.tgz

package-lock.json:318

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

package-lock.json:327

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ee-first/-/ee-first-1.1.1.tgz

package-lock.json:341

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/encodeurl/-/encodeurl-2.0.0.tgz

package-lock.json:347

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

package-lock.json:356

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

package-lock.json:365

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

package-lock.json:374

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz

package-lock.json:386

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/escape-html/-/escape-html-1.0.3.tgz

package-lock.json:401

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/etag/-/etag-1.8.1.tgz

package-lock.json:407

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/eventsource/-/eventsource-3.0.7.tgz

package-lock.json:416

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/eventsource-parser/-/eventsource-parser-3.0.6.tgz

package-lock.json:428

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/express/-/express-5.2.1.tgz

package-lock.json:437

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/express-rate-limit/-/express-rate-limit-8.3.1.tgz

package-lock.json:481

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz

package-lock.json:499

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fast-uri/-/fast-uri-3.1.0.tgz

package-lock.json:505

🔗

Medium External URL 外部 URL

https://opencollective.com/fastify

package-lock.json:514

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/finalhandler/-/finalhandler-2.1.1.tgz

package-lock.json:521

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz

package-lock.json:542

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz

package-lock.json:562

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz

package-lock.json:578

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz

package-lock.json:587

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/forwarded/-/forwarded-0.2.0.tgz

package-lock.json:599

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fresh/-/fresh-2.0.0.tgz

package-lock.json:608

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

package-lock.json:617

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

package-lock.json:626

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

package-lock.json:650

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

package-lock.json:663

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

package-lock.json:675

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz

package-lock.json:687

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

package-lock.json:702

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hono/-/hono-4.12.7.tgz

package-lock.json:714

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/http-errors/-/http-errors-2.0.1.tgz

package-lock.json:724

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.7.2.tgz

package-lock.json:744

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz

package-lock.json:760

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ip-address/-/ip-address-10.1.0.tgz

package-lock.json:766

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz

package-lock.json:775

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/is-promise/-/is-promise-4.0.0.tgz

package-lock.json:784

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/isexe/-/isexe-2.0.0.tgz

package-lock.json:790

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/jose/-/jose-6.2.1.tgz

package-lock.json:796

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz

package-lock.json:805

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/json-schema-typed/-/json-schema-typed-8.0.2.tgz

package-lock.json:811

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

package-lock.json:817

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/media-typer/-/media-typer-1.1.0.tgz

package-lock.json:826

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/merge-descriptors/-/merge-descriptors-2.0.0.tgz

package-lock.json:835

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.54.0.tgz

package-lock.json:847

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-3.0.2.tgz

package-lock.json:856

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz

package-lock.json:872

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/negotiator/-/negotiator-1.0.0.tgz

package-lock.json:878

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/object-assign/-/object-assign-4.1.1.tgz

package-lock.json:887

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/object-inspect/-/object-inspect-1.13.4.tgz

package-lock.json:896

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/on-finished/-/on-finished-2.4.1.tgz

package-lock.json:908

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/once/-/once-1.4.0.tgz

package-lock.json:920

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/parseurl/-/parseurl-1.3.3.tgz

package-lock.json:929

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/path-key/-/path-key-3.1.1.tgz

package-lock.json:938

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/path-to-regexp/-/path-to-regexp-8.3.0.tgz

package-lock.json:947

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/pkce-challenge/-/pkce-challenge-5.0.1.tgz

package-lock.json:957

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-addr/-/proxy-addr-2.0.7.tgz

package-lock.json:966

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz

package-lock.json:979

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/qs/-/qs-6.15.0.tgz

package-lock.json:985

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/range-parser/-/range-parser-1.2.1.tgz

package-lock.json:1000

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/raw-body/-/raw-body-3.0.2.tgz

package-lock.json:1009

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/require-from-string/-/require-from-string-2.0.2.tgz

package-lock.json:1024

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/router/-/router-2.2.0.tgz

package-lock.json:1033

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz

package-lock.json:1049

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/send/-/send-1.2.1.tgz

package-lock.json:1055

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/serve-static/-/serve-static-2.2.1.tgz

package-lock.json:1081

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/setprototypeof/-/setprototypeof-1.2.0.tgz

package-lock.json:1100

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/shebang-command/-/shebang-command-2.0.0.tgz

package-lock.json:1106

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/shebang-regex/-/shebang-regex-3.0.0.tgz

package-lock.json:1118

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel/-/side-channel-1.1.0.tgz

package-lock.json:1127

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-list/-/side-channel-list-1.0.0.tgz

package-lock.json:1146

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-map/-/side-channel-map-1.0.1.tgz

package-lock.json:1162

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz

package-lock.json:1180

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/statuses/-/statuses-2.0.2.tgz

package-lock.json:1199

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/toidentifier/-/toidentifier-1.0.1.tgz

package-lock.json:1208

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/type-is/-/type-is-2.0.1.tgz

package-lock.json:1217

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/typescript/-/typescript-5.9.3.tgz

package-lock.json:1231

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/undici-types/-/undici-types-6.21.0.tgz

package-lock.json:1245

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/unpipe/-/unpipe-1.0.0.tgz

package-lock.json:1252

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/vary/-/vary-1.1.2.tgz

package-lock.json:1261

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/which/-/which-2.0.2.tgz

package-lock.json:1270

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz

package-lock.json:1285

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/zod/-/zod-4.3.6.tgz

package-lock.json:1291

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/zod-to-json-schema/-/zod-to-json-schema-3.25.1.tgz

package-lock.json:1301

File Tree

10 files · 126.2 KB · 2912 lines

JSON 3f · 1346L JavaScript 3f · 945L TypeScript 1f · 274L Markdown 2f · 215L Python 1f · 132L

├─ ▾ 📁 dist

│ ├─ 📜 index_generated.js JavaScript 533L · 19.8 KB

│ └─ 📜 index.js JavaScript 249L · 22.8 KB

├─ ▾ 📁 src

│ └─ 📜 index.ts TypeScript 274L · 22.4 KB

├─ 🐍 generate_mcp.py Python 132L · 3.7 KB

├─ 📋 package-lock.json JSON 1309L · 45.6 KB

├─ 📋 package.json JSON 22L · 524 B

├─ 📝 README.md Markdown 171L · 4.8 KB

├─ 📝 SKILL.md Markdown 44L · 736 B

├─ 📜 test_all.js JavaScript 163L · 5.7 KB

└─ 📋 tsconfig.json JSON 15L · 338 B

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`@modelcontextprotocol/sdk`	`^1.0.0`	npm	No	Pinned in package-lock.json
`axios`	`^1.6.0`	npm	No	Pinned in package-lock.json
`typescript`	`^5.0.0`	npm	No	Dev dependency, pinned in package-lock.json

Security Positives

✓ No shell execution, subprocess, or system command access

✓ No credential harvesting beyond the intended STOCKTODAY_TOKEN

✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)

✓ No data exfiltration or C2 communication patterns

✓ Standard MCP SDK with pinned dependencies in package-lock.json

✓ All 155+ tools are well-documented with parameter schemas

✓ Token can be passed as parameter, not just environment variable

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives