Scan Report
0 /100
mx_finance_search
基于东方财富数据库,支持自然语言搜索全网最新公告、研报、财经新闻、交易所动态及官方政策等
Legitimate financial news search skill that reads EM_API_KEY for API authentication and makes documented HTTP requests to East Money's API endpoint, with no malicious behavior detected.
Safe to install
No action required. The skill is a genuine financial information search tool with appropriate security practices.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | scripts/get_data.py:184 - writes output .txt files |
| Network | READ | READ | ✓ Aligned | scripts/get_data.py:165 - POST to ai-saas.eastmoney.com |
| Shell | NONE | NONE | — | No subprocess/os.system calls found |
| Environment | READ | READ | ✓ Aligned | scripts/get_data.py:69 - reads EM_API_KEY only |
| Skill Invoke | NONE | NONE | — | No skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access found |
1 High 3 findings
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:61 Medium External URL 外部 URL
https://ai.eastmoney.com/mxClaw SKILL.md:25 Medium External URL 外部 URL
https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchNews scripts/get_data.py:73 File Tree
2 files · 17.2 KB · 456 lines Python 1f · 298L
Markdown 1f · 158L
├─
▾
scripts
│ └─
get_data.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ Uses standard library only (urllib, asyncio, json) - no external dependencies with potential supply chain risks
✓ Reads EM_API_KEY only for API authentication, does not exfiltrate credentials
✓ Makes HTTP requests only to documented East Money API endpoint (ai-saas.eastmoney.com)
✓ Generates random userId/callId at runtime - no hardcoded user identifiers
✓ Proper error handling with descriptive error messages
✓ No shell execution or subprocess calls
✓ No obfuscation or base64-encoded payloads
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ SKILL.md correctly documents required environment variable and usage
✓ Output files are written to configurable directory with unique suffixes