stock-earnings-review Security Report — Low Risk | ClawSafe

15 /100

stock-earnings-review

上市公司业绩点评 — 基于东方财富数据库生成沪深京港美五大市场业绩点评（含财报分析、PDF/Word附件保存）

This is a legitimate stock earnings review skill that only calls East Money (eastmoney.com) APIs, reads a single declared environment variable for authentication, and writes files to a declared output directory.

Skill Namestock-earnings-review

Duration33.3s

Enginepi

✓

Safe to install

The skill is safe to use. Consider pinning the httpx dependency to a specific version in documentation to avoid potential supply-chain surprises.

Findings 2 items

Severity	Finding	Location
Low	API key placeholder in documentation example SKILL.md line 79 shows 'your_api_key_here' as an export example. This is a documentation placeholder, not an actual credential, but it was flagged by pre-scan as a suspicious hardcoded value. It does not represent a real credential risk. `export EM_API_KEY="your_api_key_here"` → Change the example to a clearly non-functional placeholder like 'YOUR_KEY_HERE' or '<YOUR_KEY>' to prevent any confusion with real credentials	`SKILL.md:79`
Low	httpx dependency not version-pinned SKILL.md instructs 'pip3 install httpx --user' without a version constraint. A future httpx update could introduce unexpected behavior. `pip3 install httpx --user` → Pin to a specific version: pip3 install httpx==0.27.0 --user	`SKILL.md:100`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All HTTP calls are documented: 3 eastmoney.com API endpoints
Environment	`READ`	`READ`	✓ Aligned	Only reads EM_API_KEY; clearly declared in SKILL.md
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes only to miaoxiang/stock-earnings-review/ with mkdir; declared in SKILL.md
Shell	`NONE`	`NONE`	—	No subprocess/os.system calls found in any script
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No database access found
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found

1 High 4 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:79

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/entity/dialogTagsV2

scripts/common.py:11

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/choice/reportList

scripts/common.py:12

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/performance/comment

scripts/common.py:13

File Tree

6 files · 34.9 KB · 905 lines

Python 4f · 557L Markdown 2f · 348L

├─ ▾ 📁 scripts

│ ├─ 🐍 call_review_api.py Python 128L · 4.3 KB

│ ├─ 🐍 common.py Python 218L · 6.9 KB

│ ├─ 🐍 normalize_report_period.py Python 132L · 4.5 KB

│ └─ 🐍 validate_entity.py Python 79L · 2.6 KB

├─ 📝 BUSINESS_LOGIC.md Markdown 138L · 7.5 KB

└─ 📝 SKILL.md Markdown 210L · 9.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`*`	pip	No	Version not pinned in SKILL.md install instructions

Security Positives

✓ No subprocess, os.system, or any shell execution calls found — all scripts use pure httpx/async IO

✓ No base64 piped into bash or other high-risk code patterns detected

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials store)

✓ No data exfiltration — all network requests are to documented eastmoney.com API endpoints

✓ No hidden instructions in comments or HTML

✓ No eval(), exec(), or dynamic code execution

✓ Capability map is fully aligned with declared behavior

✓ API key is read only from environment variable, never hardcoded in scripts

✓ Files written only to a declared output directory with controlled path construction

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives