Scan Report
5 /100
Stock Inquiry - 股票查询
按股票代码查当日行情与详情(分钟级趋势),或按分类拉取沪深、港股、北证等股票列表
A straightforward stock query skill that calls a legitimate financial API using a user-provided key. No malicious behavior detected.
Safe to install
Skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | stock.py:15 - requests.get() to api.jisuapi.com |
| Environment | READ | READ | ✓ Aligned | stock.py:111 - os.getenv('JISU_API_KEY') |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell execution found |
| Filesystem | NONE | NONE | — | No file read/write operations in code |
1 High 5 findings
High API Key 疑似硬编码凭证
API_KEY="your_appkey_here" SKILL.md:28 Medium External URL 外部 URL
https://www.jisuapi.com/ SKILL.md:9 Medium External URL 外部 URL
https://clawhub.ai/jisuapi/stockhistory SKILL.md:16 Medium External URL 外部 URL
https://www.jisuapi.com/api/stock/ SKILL.md:21 Medium External URL 外部 URL
https://api.jisuapi.com/stock stock.py:15 File Tree
2 files · 11.5 KB · 349 lines Markdown 1f · 216L
Python 1f · 133L
├─
SKILL.md
Markdown
└─
stock.py
Python
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Standard HTTP library, version not pinned but no security impact for this use case |
Security Positives
✓ No shell execution (subprocess, os.system, popen)
✓ No credential exfiltration or harvesting
✓ No base64/encoded payloads or eval usage
✓ No sensitive path access (~/.ssh, ~/.aws, .env files)
✓ No curl|bash or wget|sh remote script execution
✓ API key is read-only from environment, not transmitted to third parties
✓ Clean, straightforward implementation with clear error handling
✓ Script requires only necessary network access for API calls