Scan Report
5 /100
quotedance-market
专业的全球市场投研日报技能,提供结构化、有思考维度的市场分析
This is a legitimate market research skill that aggregates financial data from public APIs and news feeds. All capabilities are appropriate for the declared purpose.
Safe to install
No action needed. The skill performs standard market data aggregation with appropriate network access and local caching.
Findings 3 items
| Severity | Finding | Location |
|---|---|---|
| Low | Curl fallback not documented in SKILL.md | scripts/market-scan.js:147 |
| Info | Environment variable access for API key | scripts/market-scan.js:199 |
| Info | Unused rsshubUrl in config | config.json:4 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | Uses fetch() and execFileSync('curl') for data retrieval from Yahoo Finance, Blo… |
| Filesystem | NONE | READ | ✓ Aligned | Reads config.json at line 12 |
| Filesystem | NONE | WRITE | ✓ Aligned | Writes to memory/ directory for caching (lines 35-36, 392-394) |
| Shell | NONE | READ | ✓ Aligned | execFileSync('curl') used as network fallback, not arbitrary command execution |
14 findings
Medium External URL 外部 URL
https://quotedance.api.gapgap.cc SKILL.md:31 Medium External URL 外部 URL
https://query1.finance.yahoo.com/v7/finance/quote?symbols= scripts/market-scan.js:233 Medium External URL 外部 URL
https://query2.finance.yahoo.com/v8/finance/chart/ scripts/market-scan.js:252 Medium External URL 外部 URL
https://stooq.com/q/l/?s= scripts/market-scan.js:279 Medium External URL 外部 URL
https://feeds.bloomberg.com/markets/news.rss scripts/market-scan.js:475 Medium External URL 外部 URL
https://news.google.com/rss/search?q=Bloomberg+market&hl=en-US&gl=US&ceid=US:en scripts/market-scan.js:476 Medium External URL 外部 URL
https://feeds.reuters.com/reuters/businessNews scripts/market-scan.js:482 Medium External URL 外部 URL
https://news.google.com/rss/search?q=Reuters+markets&hl=en-US&gl=US&ceid=US:en scripts/market-scan.js:483 Medium External URL 外部 URL
https://wallstreetcn.com/rss scripts/market-scan.js:489 Medium External URL 外部 URL
https://news.google.com/rss/search?q=%E5%8D%8E%E5%B0%94%E8%A1%97%E8%A7%81%E9%97%BB&hl=zh-CN&gl=CN&ceid=CN:zh-Hans scripts/market-scan.js:490 Medium External URL 外部 URL
https://www.jin10.com/rss scripts/market-scan.js:496 Medium External URL 外部 URL
https://news.google.com/rss/search?q=%E9%87%91%E5%8D%81%E6%95%B0%E6%8D%AE&hl=zh-CN&gl=CN&ceid=CN:zh-Hans scripts/market-scan.js:497 Medium External URL 外部 URL
https://www.coindesk.com/arc/outboundfeeds/rss/ scripts/market-scan.js:502 Medium External URL 外部 URL
https://www.theblock.co/rss.xml scripts/market-scan.js:506 File Tree
3 files · 31.1 KB · 1092 lines JavaScript 1f · 857L
Markdown 1f · 201L
JSON 1f · 34L
├─
▾
scripts
│ └─
market-scan.js
JavaScript
├─
config.json
⚠
JSON
└─
SKILL.md
Markdown
Security Positives
✓ All network requests are to legitimate, publicly documented financial data sources
✓ No credential harvesting or exfiltration behavior
✓ File writes are limited to local memory/ cache directory for legitimate caching purposes
✓ Shell execution via curl is controlled and used only for network fallback
✓ API key access is properly scoped to configuration, not general environment scanning
✓ No obfuscated code, base64 payloads, or hidden instructions
✓ Code is well-structured and readable