同花顺 iFinD 接入 Skill

Name/description (iFinD natural-language query entry) matches the files and behavior: python CLI and runtime package that call iFinD HTTP endpoints (default base_url quantapi.51ifind.com). Required binary (python3) is appropriate. The skill is not requesting unrelated cloud credentials or unrelated system access.

Runtime instructions explicitly require the user to copy an iFinD refresh_token and use auth-set-refresh-token/auth-set-tokens; queries are always routed to iFinD. This is within scope for the stated purpose. Notable: the skill documents an optional LLM-based router that will send queries to an OpenAI‑compatible service if the operator sets IFIND_ROUTE_LLM_ENABLED and provides an API key — enabling that will transmit user queries (or routing plans) to a third-party LLM. That behavior is documented but is a privacy consideration.

No remote download/install spec is embedded in the registry metadata; the package contains Python scripts to run locally. There are no network-based installers or hidden download URLs in the provided files. The SKILL.md tells the installer to run scripts/install_skill.sh — check that script locally before running it (not provided in the manifest excerpt).

The skill does not request unrelated environment variables and needs only the iFinD tokens (refresh_token/access_token) to function — this is proportional. The optional LLM routing requires an API key (IFIND_ROUTE_LLM_API_KEY / OPENAI_API_KEY) only when explicitly enabled; that env var is not mandatory but will expose queries to a third-party LLM if set. The skill stores tokens locally (~/.openclaw/.../token_state.json) which is expected but means the stored credentials should be protected.

The skill stores token state in a skill-scoped file and does not request always:true or system-wide privileges. It does not modify other skills or system configs. Autonomous invocation is allowed by default but that is platform normal; there is no evidence it force-enables itself.