Scan Report
0 /100
industry_stock_tracker
依托东方财富数据库,面向行业或个股,产出跟踪类报告
A legitimate industry/stock tracking report skill that makes API calls to East Money (eastmoney.com) and saves base64-decoded attachments to disk.
Safe to install
This skill is safe to use. No malicious behavior detected. The only concern is using a pinned version of the requests library, though this skill uses stdlib urllib.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md:script workflow declares attachment saving; script lines 161-173 decode… |
| Network | READ | READ | ✓ Aligned | SKILL.md:core workflow declares API call; script line 35 makes POST to ai-saas.e… |
| Environment | READ | READ | ✓ Aligned | SKILL.md metadata requires EM_API_KEY; script line 33 reads os.environ.get('EM_A… |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell invocation found |
1 High 2 findings
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:34 Medium External URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/tracking/report scripts/generate_industry_stock_tracker_report.py:32 File Tree
2 files · 13.1 KB · 386 lines Python 1f · 270L
Markdown 1f · 116L
├─
▾
scripts
│ └─
generate_industry_stock_tracker_report.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ No shell execution or subprocess usage — pure Python stdlib only (urllib, base64, json, pathlib)
✓ API key is read from environment only and never exfiltrated — used solely for eastmoney.com API authentication
✓ Network requests go to a single, well-known, legitimate financial data provider (eastmoney.com)
✓ No sensitive path access (~/.ssh, ~/.aws, .env files, etc.)
✓ No hidden functionality — code behavior matches SKILL.md documentation precisely
✓ File writes are limited to the output directory for PDF/DOCX attachments only
✓ No base64 piped into bash or other obfuscation techniques
✓ No external IP addresses or suspicious URLs beyond the declared eastmoney.com endpoint
✓ Error handling is thorough with structured JSON error responses