initiation_of_coverage_or_deep_dive 安全扫描报告 — 低风险 | ClawSafe

10 /100

initiation_of_coverage_or_deep_dive

面向沪深京港美上市公司生成首次覆盖报告或深度研究报告的 AI 技能

A legitimate East Money stock research report generator with no malicious behavior; the pre-scan IOC flag was a false positive on a placeholder string in documentation.

技能名称initiation_of_coverage_or_deep_dive

分析耗时37.1s

引擎pi

✓

可以安装

No action required. The skill performs as declared: calls an East Money API and saves base64-decoded report files locally. Consider pinning httpx to a specific version.

安全发现 2 项

严重性	安全发现	位置
低危	httpx dependency not version-pinned SKILL.md's pip install command does not specify a version constraint for httpx. Using 'httpx' with no pin allows pip to install any future version, which could theoretically introduce a malicious dependency. `pip3 install httpx --user` → Pin httpx to a specific version, e.g., 'pip3 install httpx==0.27.0 --user'	`SKILL.md:35`
提示	Pre-scan IOC is a false positive The pre-scan flagged 'your_api_key_here' at SKILL.md:47 as a hardcoded credential. This is a clearly documented placeholder example used in instructions, not an actual secret. No real credentials are present. `export EM_API_KEY="your_api_key_here"` → No action needed; this is a documentation placeholder.	`SKILL.md:47`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	httpx POST to ai-saas.eastmoney.com only
文件系统	`WRITE`	`WRITE`	✓ 一致	saves PDF/Word to user-specified output directory only
环境变量	`READ`	`READ`	✓ 一致	reads EM_API_KEY and optional INITIATION_OF_COVERAGE_OR_DEEP_DIVE_OUTPUT_DIR onl…
命令执行	`NONE`	`NONE`	—	no subprocess, os.system, or shell pipes found
技能调用	`NONE`	`NONE`	—	no recursive skill invocation
剪贴板	`NONE`	`NONE`	—	no clipboard access
浏览器	`NONE`	`NONE`	—	no browser automation
数据库	`NONE`	`NONE`	—	no database access

1 高危 2 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:47

🔗

中危外部 URL 外部 URL

https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/initial-coverage

scripts/generate_deep_research_report.py:71

目录结构

2 文件 · 16.1 KB · 390 行

Python 1f · 215L Markdown 1f · 175L

├─ ▾ 📁 scripts

│ └─ 🐍 generate_deep_research_report.py Python 215L · 9.8 KB

└─ 📝 SKILL.md Markdown 175L · 6.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`httpx`	`*`	pip	否	No version pin — recommend pinning to a specific version

安全亮点

✓ No shell execution, subprocess, or eval() calls

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No credential exfiltration or data theft

✓ No base64-decode-into-shell or obfuscated code

✓ API endpoint is a well-known legitimate service (East Money / 东方财富)

✓ All capabilities (network, filesystem write, env read) are declared in SKILL.md

✓ Output files written only to user-specified directory, not to system paths

✓ Base64 decoding is used only for legitimate PDF/Word report saving

✓ Reasonable timeout (1200s) configured to prevent indefinite hangs