mx_stocks_screener Security Report — Low Risk | ClawSafe

10 /100

mx_stocks_screener

基于东方财富数据库，支持通过自然语言输入筛选A港美股、基金、债券等多种资产的选股工具

Legitimate East Money stock screener with no malicious behavior; minor documentation inconsistencies and an unpinned dependency with no security impact.

Skill Namemx_stocks_screener

Duration39.8s

Enginepi

✓

Safe to install

Pin httpx to a specific version (e.g., httpx>=0.27.0,<0.28.0) and align the header key casing between documentation and code for clarity.

Findings 2 items

Severity	Finding	Location
Low	Unpinned httpx dependency Supply Chain SKILL.md installs httpx without version constraints via 'pip3 install httpx --user'. An attacker who compromises PyPI or a mirror could supply a malicious version. `pip3 install httpx --user` → Pin to a specific version range, e.g., pip3 install 'httpx>=0.27.0,<0.28.0' --user	`SKILL.md:97`
Low	Header key casing inconsistency Doc Mismatch scripts/get_data.py:270 sends 'em_api_key' (lowercase) in the HTTP header, while SKILL.md consistently references the uppercase environment variable 'EM_API_KEY'. This is internally consistent (the env var name is correct) but the header key casing is undocumented. `"em_api_key": EM_API_KEY,` → Document the exact HTTP header name used or align it with the conventional EM_API_KEY naming convention.	`scripts/get_data.py:270`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file reads/writes beyond creating output CSVs in output_dir (user-provided pa…
Network	`READ`	`READ`	✓ Aligned	scripts/get_data.py:263 — httpx.AsyncClient POST to ai-saas.eastmoney.com
Shell	`NONE`	`NONE`	—	No subprocess or shell invocation found
Environment	`READ`	`READ`	✓ Aligned	scripts/get_data.py:54 — os.environ.get('EM_API_KEY', '')
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No skill invocation

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:78

🔗

Medium External URL 外部 URL

https://ai.eastmoney.com/mxClaw

SKILL.md:31

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/b/mcp/tool/selectSecurity

scripts/get_data.py:74

File Tree

2 files · 22.7 KB · 600 lines

Python 1f · 432L Markdown 1f · 168L

├─ ▾ 📁 scripts

│ └─ 🐍 get_data.py Python 432L · 17.2 KB

└─ 📝 SKILL.md Markdown 168L · 5.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`*`	pip	No	Version not pinned; SKILL.md uses 'pip3 install httpx --user' without constraints

Security Positives

✓ No code obfuscation, base64 execution, or anti-analysis patterns detected

✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)

✓ No credential harvesting beyond the single declared EM_API_KEY used for its intended API

✓ No reverse shell, C2, or data exfiltration mechanisms

✓ No remote script execution (curl|bash, wget|sh)

✓ API key stays on-device and is only transmitted to the legitimate East Money endpoint

✓ Output files written only to user-specified output_dir with unique UUID suffixes

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives