扫描报告
0 /100
mx_finance_search
基于东方财富数据库,支持自然语言搜索全网最新公告、研报、财经新闻、交易所动态及官方政策等
Legitimate financial news search skill that reads EM_API_KEY for API authentication and makes documented HTTP requests to East Money's API endpoint, with no malicious behavior detected.
可以安装
No action required. The skill is a genuine financial information search tool with appropriate security practices.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | scripts/get_data.py:184 - writes output .txt files |
| 网络访问 | READ | READ | ✓ 一致 | scripts/get_data.py:165 - POST to ai-saas.eastmoney.com |
| 命令执行 | NONE | NONE | — | No subprocess/os.system calls found |
| 环境变量 | READ | READ | ✓ 一致 | scripts/get_data.py:69 - reads EM_API_KEY only |
| 技能调用 | NONE | NONE | — | No skill invocation found |
| 剪贴板 | NONE | NONE | — | No clipboard access found |
| 浏览器 | NONE | NONE | — | No browser automation found |
| 数据库 | NONE | NONE | — | No database access found |
1 高危 3 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:61 中危 外部 URL 外部 URL
https://ai.eastmoney.com/mxClaw SKILL.md:25 中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchNews scripts/get_data.py:73 目录结构
2 文件 · 17.2 KB · 456 行 Python 1f · 298L
Markdown 1f · 158L
├─
▾
scripts
│ └─
get_data.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ Uses standard library only (urllib, asyncio, json) - no external dependencies with potential supply chain risks
✓ Reads EM_API_KEY only for API authentication, does not exfiltrate credentials
✓ Makes HTTP requests only to documented East Money API endpoint (ai-saas.eastmoney.com)
✓ Generates random userId/callId at runtime - no hardcoded user identifiers
✓ Proper error handling with descriptive error messages
✓ No shell execution or subprocess calls
✓ No obfuscation or base64-encoded payloads
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ SKILL.md correctly documents required environment variable and usage
✓ Output files are written to configurable directory with unique suffixes