Stock Inquiry - 股票查询安全扫描报告 — 可信 | ClawSafe

5 /100

Stock Inquiry - 股票查询

按股票代码查当日行情与详情（分钟级趋势），或按分类拉取沪深、港股、北证等股票列表

A straightforward stock query skill that calls a legitimate financial API using a user-provided key. No malicious behavior detected.

技能名称Stock Inquiry - 股票查询

分析耗时23.6s

引擎pi

✓

可以安装

Skill is safe to use. No security concerns identified.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	stock.py:15 - requests.get() to api.jisuapi.com
环境变量	`READ`	`READ`	✓ 一致	stock.py:111 - os.getenv('JISU_API_KEY')
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
文件系统	`NONE`	`NONE`	—	No file read/write operations in code

1 高危 5 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:28

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://clawhub.ai/jisuapi/stockhistory

SKILL.md:16

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/stock/

SKILL.md:21

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/stock

stock.py:15

目录结构

2 文件 · 11.5 KB · 349 行

Markdown 1f · 216L Python 1f · 133L

├─ 📝 SKILL.md Markdown 216L · 7.4 KB

└─ 🐍 stock.py Python 133L · 4.1 KB

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Standard HTTP library, version not pinned but no security impact for this use case

✓ No shell execution (subprocess, os.system, popen)

✓ No credential exfiltration or harvesting

✓ No base64/encoded payloads or eval usage

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No curl|bash or wget|sh remote script execution

✓ API key is read-only from environment, not transmitted to third parties

✓ Clean, straightforward implementation with clear error handling

✓ Script requires only necessary network access for API calls