initiation_of_coverage_or_deep_dive Security Report — Low Risk | ClawSafe

10 /100

initiation_of_coverage_or_deep_dive

面向沪深京港美上市公司生成首次覆盖报告或深度研究报告的 AI 技能

A legitimate East Money stock research report generator with no malicious behavior; the pre-scan IOC flag was a false positive on a placeholder string in documentation.

Skill Nameinitiation_of_coverage_or_deep_dive

Duration37.1s

Enginepi

✓

Safe to install

No action required. The skill performs as declared: calls an East Money API and saves base64-decoded report files locally. Consider pinning httpx to a specific version.

Findings 2 items

Severity	Finding	Location
Low	httpx dependency not version-pinned SKILL.md's pip install command does not specify a version constraint for httpx. Using 'httpx' with no pin allows pip to install any future version, which could theoretically introduce a malicious dependency. `pip3 install httpx --user` → Pin httpx to a specific version, e.g., 'pip3 install httpx==0.27.0 --user'	`SKILL.md:35`
Info	Pre-scan IOC is a false positive The pre-scan flagged 'your_api_key_here' at SKILL.md:47 as a hardcoded credential. This is a clearly documented placeholder example used in instructions, not an actual secret. No real credentials are present. `export EM_API_KEY="your_api_key_here"` → No action needed; this is a documentation placeholder.	`SKILL.md:47`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	httpx POST to ai-saas.eastmoney.com only
Filesystem	`WRITE`	`WRITE`	✓ Aligned	saves PDF/Word to user-specified output directory only
Environment	`READ`	`READ`	✓ Aligned	reads EM_API_KEY and optional INITIATION_OF_COVERAGE_OR_DEEP_DIVE_OUTPUT_DIR onl…
Shell	`NONE`	`NONE`	—	no subprocess, os.system, or shell pipes found
Skill Invoke	`NONE`	`NONE`	—	no recursive skill invocation
Clipboard	`NONE`	`NONE`	—	no clipboard access
Browser	`NONE`	`NONE`	—	no browser automation
Database	`NONE`	`NONE`	—	no database access

1 High 2 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:47

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/initial-coverage

scripts/generate_deep_research_report.py:71

File Tree

2 files · 16.1 KB · 390 lines

Python 1f · 215L Markdown 1f · 175L

├─ ▾ 📁 scripts

│ └─ 🐍 generate_deep_research_report.py Python 215L · 9.8 KB

└─ 📝 SKILL.md Markdown 175L · 6.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`*`	pip	No	No version pin — recommend pinning to a specific version

Security Positives

✓ No shell execution, subprocess, or eval() calls

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No credential exfiltration or data theft

✓ No base64-decode-into-shell or obfuscated code

✓ API endpoint is a well-known legitimate service (East Money / 东方财富)

✓ All capabilities (network, filesystem write, env read) are declared in SKILL.md

✓ Output files written only to user-specified directory, not to system paths

✓ Base64 decoding is used only for legitimate PDF/Word report saving

✓ Reasonable timeout (1200s) configured to prevent indefinite hangs

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives