stock-ai-analyzer 安全扫描报告 — 可信 | ClawSafe

5 /100

stock-ai-analyzer

股票AI分析助手，支持基础分析和增强分析

This is a legitimate stock analysis skill that uses Tushare for financial data and AI models for analysis. All functionality is properly documented with no hidden or suspicious behaviors.

技能名称stock-ai-analyzer

分析耗时39.8s

引擎pi

✓

可以安装

No security concerns. The skill is safe to use as documented.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned dependencies 供应链 No requirements.txt or pyproject.toml found; pandas, numpy, tushare have no version constraints `import pandas, import tushare, import numpy` → Add a requirements.txt with pinned versions (e.g., pandas>=1.5.0, numpy>=1.23.0, tushare>=1.4.0) to ensure reproducible builds	`N/A`
提示	Minor network outbound not explicitly declared 文档欺骗 SKILL.md declares AI model usage but does not explicitly state that prompts are POSTed externally. ai_client.py makes outbound HTTP POST calls to AI endpoints. `export LLM_API_BASE=https://your-endpoint/v1` → Add a note in SKILL.md: 'Analysis prompts are sent to the configured AI endpoint for processing.'	`SKILL.md:39`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	data_fetcher.py:45 - reads .env from cwd only
网络访问	`READ`	`WRITE`	✓ 一致	ai_client.py:50,70 - POSTs prompts to AI endpoints; SKILL.md line 39 declares 'A…
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
环境变量	`READ`	`READ`	✓ 一致	ai_client.py reads API keys from os.environ
技能调用	`NONE`	`NONE`	—	No inter-skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No direct DB access found

3 项发现

🔗

中危外部 URL 外部 URL

https://tushare.pro

README.md:20

🔗

中危外部 URL 外部 URL

https://your-api-endpoint/v1

README.md:38

🔗

中危外部 URL 外部 URL

https://your-endpoint/v1

SKILL.md:39

目录结构

9 文件 · 79.6 KB · 2183 行

Python 6f · 1826L Markdown 3f · 357L

├─ ▾ 📁 scripts

│ ├─ 🐍 __init__.py Python 1L · 21 B

│ ├─ 🐍 ai_client.py Python 209L · 6.9 KB

│ ├─ 🐍 data_fetcher.py Python 372L · 14.4 KB

│ ├─ 🐍 enhanced_analyzer.py Python 104L · 4.4 KB

│ ├─ 🐍 financial_ratios.py Python 542L · 21.2 KB

│ └─ 🐍 stock_analyzer.py Python 598L · 22.9 KB

├─ 📝 OPTIMIZATION_SUMMARY.md Markdown 170L · 5.2 KB

├─ 📝 README.md Markdown 84L · 1.9 KB

└─ 📝 SKILL.md Markdown 103L · 2.8 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`tushare`	`*`	pip	否	No version constraint specified
`pandas`	`*`	pip	否	No version constraint specified
`numpy`	`*`	pip	否	No version constraint specified

安全亮点

✓ No subprocess, os.system, shell execution, or any form of code execution found

✓ No base64 encoding, obfuscation, or anti-analysis patterns detected

✓ No credential harvesting beyond API keys needed for the service

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env beyond current directory)

✓ No curl|bash or wget|sh remote script execution

✓ No hidden instructions in comments or strings

✓ No data exfiltration or C2 communication detected

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ .env file access is scoped to current working directory only (security-conscious design)

✓ AI client gracefully handles missing API keys with user-friendly errors

✓ Clean separation of concerns: data fetching, analysis, AI client are modular