mx_finance_data Security Report — Trusted | ClawSafe

5 /100

mx_finance_data

金融数据查询工具，基于东方财富API提供股票、基金、债券等金融数据查询

This is a legitimate financial data query skill that makes authenticated API calls to East Money's service and writes results locally. No malicious behavior detected.

Skill Namemx_finance_data

Duration25.4s

Enginepi

✓

Safe to install

This skill is safe to use. Continue following the documented setup process to configure EM_API_KEY.

Findings 1 items

Severity	Finding	Location
Info	Documentation example appears as potential credential Doc Mismatch SKILL.md line 104 shows 'API_KEY="your_api_key_here"' which is a placeholder example for user configuration, not an actual credential. This is a documentation artifact, not a security issue. `export EM_API_KEY="your_api_key_here"` → No action needed. This is a standard documentation placeholder for user configuration.	`SKILL.md:104`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	scripts/get_data.py:360 - POST to https://ai-saas.eastmoney.com/proxy/b/mcp/tool…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/get_data.py:330 - Creates output directory and writes xlsx/txt files
Environment	`READ`	`READ`	✓ Aligned	scripts/get_data.py:65 - Only reads EM_API_KEY for API authentication
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:104

🔗

Medium External URL 外部 URL

https://ai.eastmoney.com/mxClaw

SKILL.md:27

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchData

scripts/get_data.py:73

File Tree

2 files · 29.6 KB · 773 lines

Python 1f · 624L Markdown 1f · 149L

├─ ▾ 📁 scripts

│ └─ 🐍 get_data.py Python 624L · 24.6 KB

└─ 📝 SKILL.md Markdown 149L · 5.0 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`unspecified`	pip	No	Standard HTTP client library for API calls
`pandas`	`unspecified`	pip	No	Standard data analysis library
`openpyxl`	`unspecified`	pip	No	Standard Excel file writer

Security Positives

✓ No credential hardcoding - EM_API_KEY is read from environment only

✓ No shell execution or subprocess calls

✓ No data exfiltration - only queries East Money API and writes results locally

✓ No obfuscation techniques (no base64, eval, or anti-analysis patterns)

✓ Clean code structure with proper error handling

✓ Documentation accurately describes all functionality

✓ Dependencies are standard and well-known (httpx, pandas, openpyxl)

✓ No suspicious network behavior - only connects to legitimate East Money domain

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives