中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:2 天前 重新扫描
15 /100
stock-earnings-review
上市公司业绩点评 — 基于东方财富数据库生成沪深京港美五大市场业绩点评(含财报分析、PDF/Word附件保存)
This is a legitimate stock earnings review skill that only calls East Money (eastmoney.com) APIs, reads a single declared environment variable for authentication, and writes files to a declared output directory.
技能名称stock-earnings-review
分析耗时33.3s
引擎pi
可以安装
The skill is safe to use. Consider pinning the httpx dependency to a specific version in documentation to avoid potential supply-chain surprises.

安全发现 2 项

严重性 安全发现 位置
低危
API key placeholder in documentation example
SKILL.md line 79 shows 'your_api_key_here' as an export example. This is a documentation placeholder, not an actual credential, but it was flagged by pre-scan as a suspicious hardcoded value. It does not represent a real credential risk.
export EM_API_KEY="your_api_key_here"
→ Change the example to a clearly non-functional placeholder like 'YOUR_KEY_HERE' or '<YOUR_KEY>' to prevent any confusion with real credentials
 SKILL.md:79
低危
httpx dependency not version-pinned
SKILL.md instructs 'pip3 install httpx --user' without a version constraint. A future httpx update could introduce unexpected behavior.
pip3 install httpx --user
→ Pin to a specific version: pip3 install httpx==0.27.0 --user
 SKILL.md:100
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 All HTTP calls are documented: 3 eastmoney.com API endpoints
环境变量 READ READ ✓ 一致 Only reads EM_API_KEY; clearly declared in SKILL.md
文件系统 WRITE WRITE ✓ 一致 Writes only to miaoxiang/stock-earnings-review/ with mkdir; declared in SKILL.md
命令执行 NONE NONE No subprocess/os.system calls found in any script
剪贴板 NONE NONE No clipboard access found
浏览器 NONE NONE No browser automation found
数据库 NONE NONE No database access found
技能调用 NONE NONE No skill invocation found
1 高危 4 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here"
SKILL.md:79
🔗
中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/entity/dialogTagsV2
scripts/common.py:11
🔗
中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/choice/reportList
scripts/common.py:12
🔗
中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/performance/comment
scripts/common.py:13

目录结构

6 文件 · 34.9 KB · 905 行
Python 4f · 557L Markdown 2f · 348L
├─ 📁 scripts
│ ├─ 🐍 call_review_api.py Python 128L · 4.3 KB
│ ├─ 🐍 common.py Python 218L · 6.9 KB
│ ├─ 🐍 normalize_report_period.py Python 132L · 4.5 KB
│ └─ 🐍 validate_entity.py Python 79L · 2.6 KB
├─ 📝 BUSINESS_LOGIC.md Markdown 138L · 7.5 KB
└─ 📝 SKILL.md Markdown 210L · 9.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
httpx * pip Version not pinned in SKILL.md install instructions

安全亮点

✓ No subprocess, os.system, or any shell execution calls found — all scripts use pure httpx/async IO
✓ No base64 piped into bash or other high-risk code patterns detected
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials store)
✓ No data exfiltration — all network requests are to documented eastmoney.com API endpoints
✓ No hidden instructions in comments or HTML
✓ No eval(), exec(), or dynamic code execution
✓ Capability map is fully aligned with declared behavior
✓ API key is read only from environment variable, never hardcoded in scripts
✓ Files written only to a declared output directory with controlled path construction