中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
BitSoulStockSkill
BitSoul旗下all-in-one的A股市场综合skill,提供股票筛选策略,内置上百种行业常见量化指标, 基于MOE混合因子专家模型的股票买卖点计算判断,个股风险判定,关键指标计算,数据回测
Legitimate A-share stock market analysis skill with all capabilities correctly declared; minor issues limited to unpinned Python dependencies.
Skill NameBitSoulStockSkill
Duration71.0s
Enginepi
Safe to install
Approve for use. Consider pinning exact dependency versions to reduce supply-chain risk.

Findings 2 items

Severity Finding Location
Low
Python dependencies lack version pinning Supply Chain
requirements.txt uses >= lower-bound constraints without upper bounds for pandas, numpy, requests, SQLAlchemy. This allows installing any newer version at pip install time, which could pull a compromised release.
pandas>=1.3.5
requests>=2.31.0
SQLAlchemy>=2.0.48
numpy>=1.21.0
→ Pin exact versions or use ~= constraints, e.g., pandas~=1.5.0, requests~=2.31.0
 assets/requirements.txt:1
Info
BITSOUL_TOKEN sent to remote server for authentication Sensitive Access
The skill's API token (BITSOUL_TOKEN) is transmitted to info.aicodingyard.com over HTTP for check_token, decryption key requests, data downloads, and yield submission. This is expected behavior for a paid data service but worth noting for threat modeling.
response = requests.post(url, json={"token": token}, timeout=define.HTTP_TIMEOUT)
→ Ensure the remote server is trusted and consider whether HTTPS enforcement is possible via config.json
 scripts/remote_api.py:108
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned utils.py creates temp dir; data_fetcher.py reads/writes SQLite in temp dir; all …
Network READ READ ✓ Aligned remote_api.py and data_fetcher.py POST/GET to info.aicodingyard.com; stock_crawl…
Environment READ READ ✓ Aligned config.py reads BITSOUL_TOKEN and BITSOUL_TOKEN_ENV_FILE from os.environ; SKILL.…
Skill Invoke READ READ ✓ Aligned stock_api.py exposes StockApi with stock data/metrics/backtest methods; moe_sign…
Shell NONE NONE No subprocess/os.popen/shell=True found across all 21 Python files (grep confirm…
8 findings
🔗
Medium External URL 外部 URL
https://www.aicodingyard.com
SKILL.md:8
🔗
Medium External URL 外部 URL
https://finance.sina.com.cn/
SKILL.md:25
🔗
Medium External URL 外部 URL
http://info.aicodingyard.com
assets/config.json:3
🔗
Medium External URL 外部 URL
https://push2his.eastmoney.com/api/qt/stock/kline/get
scripts/factor_mining.py:382
🔗
Medium External URL 外部 URL
https://www.eastmoney.com/
scripts/factor_mining.py:391
🔗
Medium External URL 外部 URL
http://hq.sinajs.cn/list=
scripts/realtime_data_featcher.py:42
🔗
Medium External URL 外部 URL
http://push2.eastmoney.com/api/qt/stock/get
scripts/stock_crawler.py:150
🔗
Medium External URL 外部 URL
http://d.10jqka.com.cn/v6/line/hs_
scripts/stock_crawler.py:219

File Tree

26 files · 662.4 KB · 17445 lines
Python 21f · 16159L Markdown 2f · 1051L JSON 2f · 231L Text 1f · 4L
├─ 📁 assets
│ ├─ 🔑 config.json JSON 5L · 99 B
│ └─ 📄 requirements.txt Text 4L · 64 B
├─ 📁 references
│ └─ 📝 API_FOR_LLM.md Markdown 915L · 23.5 KB
├─ 📁 scripts
│ ├─ 📁 formulaicAlphas
│ │ ├─ 🐍 __init__.py Python 36L · 1.0 KB
│ │ ├─ 🐍 alpha101.py Python 940L · 58.9 KB
│ │ ├─ 🐍 data_loader.py Python 111L · 4.1 KB
│ │ └─ 🐍 operators.py Python 189L · 7.4 KB
│ ├─ 🐍 backtest_tools.py Python 466L · 14.8 KB
│ ├─ 🐍 config.py Python 55L · 1.6 KB
│ ├─ 🐍 data_fetcher.py Python 1786L · 64.2 KB
│ ├─ 🐍 decrypt_patch.py Python 53L · 1.6 KB
│ ├─ 🐍 define.py Python 1464L · 51.6 KB
│ ├─ 🐍 factor_mining.py Python 849L · 40.1 KB
│ ├─ 🐍 indicators.py Python 3097L · 110.4 KB
│ ├─ 🐍 logger.py Python 2L · 63 B
│ ├─ 🐍 metrics.py Python 319L · 10.9 KB
│ ├─ 🐍 moe_signal.py Python 1268L · 50.6 KB
│ ├─ 📋 moe_weights.json JSON 226L · 5.3 KB
│ ├─ 🐍 realtime_data_featcher.py Python 93L · 3.7 KB
│ ├─ 🐍 remote_api.py Python 202L · 6.4 KB
│ ├─ 🐍 signals.py Python 775L · 30.4 KB
│ ├─ 🐍 stock_api.py Python 4035L · 152.9 KB
│ ├─ 🐍 stock_crawler.py Python 287L · 12.0 KB
│ ├─ 🐍 track_logger.py Python 14L · 364 B
│ └─ 🐍 utils.py Python 118L · 3.5 KB
└─ 📝 SKILL.md Markdown 136L · 7.0 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
pandas >=1.3.5 requirements.txt No Version not pinned; only lower bound specified
numpy >=1.21.0 requirements.txt No Version not pinned; only lower bound specified
requests >=2.31.0 requirements.txt No Version not pinned; only lower bound specified
SQLAlchemy >=2.0.48 requirements.txt No Version not pinned; only lower bound specified

Security Positives

✓ No subprocess, os.popen, shell=True, or any shell execution commands found
✓ No credential harvesting — does not scan ~/.ssh, ~/.aws, .env, or other credential paths
✓ No base64-encoded payloads, eval/exec, or dynamic code loading
✓ No hidden HTML comments, obfuscation, or anti-analysis patterns
✓ No prompt injection instructions found in any file
✓ No persistence mechanisms (cron, startup hooks, registry writes)
✓ No C2 communication or data exfiltration to undeclared endpoints
✓ All network access targets are explicitly declared in SKILL.md frontmatter
✓ Filesystem writes are scoped to temp directory (system temp/BitSoulStockSkill), not user home
✓ Token is used only for declared remote API authentication purposes
✓ Encrypted data files use per-file decryption keys fetched per-request — not stored insecurely
✓ Skill correctly uses sqlalchemy text() for parameterized SQL queries, preventing injection