扫描报告
0 /100
industry_stock_tracker
依托东方财富数据库,面向行业或个股,产出跟踪类报告
A legitimate industry/stock tracking report skill that makes API calls to East Money (eastmoney.com) and saves base64-decoded attachments to disk.
可以安装
This skill is safe to use. No malicious behavior detected. The only concern is using a pinned version of the requests library, though this skill uses stdlib urllib.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md:script workflow declares attachment saving; script lines 161-173 decode… |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md:core workflow declares API call; script line 35 makes POST to ai-saas.e… |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md metadata requires EM_API_KEY; script line 33 reads os.environ.get('EM_A… |
| 命令执行 | NONE | NONE | — | No subprocess, os.system, or shell invocation found |
1 高危 2 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:34 中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/tracking/report scripts/generate_industry_stock_tracker_report.py:32 目录结构
2 文件 · 13.1 KB · 386 行 Python 1f · 270L
Markdown 1f · 116L
├─
▾
scripts
│ └─
generate_industry_stock_tracker_report.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ No shell execution or subprocess usage — pure Python stdlib only (urllib, base64, json, pathlib)
✓ API key is read from environment only and never exfiltrated — used solely for eastmoney.com API authentication
✓ Network requests go to a single, well-known, legitimate financial data provider (eastmoney.com)
✓ No sensitive path access (~/.ssh, ~/.aws, .env files, etc.)
✓ No hidden functionality — code behavior matches SKILL.md documentation precisely
✓ File writes are limited to the output directory for PDF/DOCX attachments only
✓ No base64 piped into bash or other obfuscation techniques
✓ No external IP addresses or suspicious URLs beyond the declared eastmoney.com endpoint
✓ Error handling is thorough with structured JSON error responses