Scan Report
10 /100
finance-reporter
实时财经数据推送工具 - 使用Yahoo Finance API获取全球股市、外汇、大宗商品、加密货币实时行情
A legitimate finance data fetcher using Yahoo Finance API with no malicious behavior detected.
Safe to install
Skill is safe to use. Optionally pin requests to exact version for supply chain hygiene.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Loosely pinned dependency version Supply Chain | package.json:24 |
| Info | Documentation mentions unimplemented features Doc Mismatch | SKILL.md:12 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations in code |
| Network | READ | READ | ✓ Aligned | tools/finance_data.py:36 - Only connects to query1.finance.yahoo.com |
| Shell | NONE | NONE | — | No subprocess or shell execution in code |
| Environment | NONE | NONE | — | No environment variable access |
2 findings
Medium External URL 外部 URL
https://finance.yahoo.com SKILL.md:143 Medium External URL 外部 URL
https://query1.finance.yahoo.com/v8/finance/chart/ tools/finance_data.py:36 File Tree
4 files · 11.7 KB · 390 lines Markdown 2f · 213L
Python 1f · 142L
JSON 1f · 35L
├─
▾
tools
│ └─
finance_data.py
Python
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | ^2.28.0 | pip | No | Loose version pinning with caret, minor update risk |
Security Positives
✓ No credential harvesting or sensitive data access
✓ No shell execution or subprocess usage
✓ No data exfiltration to external servers (only Yahoo Finance API)
✓ No obfuscation or base64-encoded payloads
✓ Clean, readable code with proper error handling
✓ Network requests limited to legitimate financial data API
✓ Uses standard requests library with known-good User-Agent
✓ Implements retry logic with backoff for reliability