中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
mx_stocks_screener
基于东方财富数据库,支持通过自然语言输入筛选A港美股、基金、债券等多种资产的选股工具
Legitimate East Money stock screener with no malicious behavior; minor documentation inconsistencies and an unpinned dependency with no security impact.
技能名称mx_stocks_screener
分析耗时39.8s
引擎pi
可以安装
Pin httpx to a specific version (e.g., httpx>=0.27.0,<0.28.0) and align the header key casing between documentation and code for clarity.

安全发现 2 项

严重性 安全发现 位置
低危
Unpinned httpx dependency 供应链
SKILL.md installs httpx without version constraints via 'pip3 install httpx --user'. An attacker who compromises PyPI or a mirror could supply a malicious version.
pip3 install httpx --user
→ Pin to a specific version range, e.g., pip3 install 'httpx>=0.27.0,<0.28.0' --user
 SKILL.md:97
低危
Header key casing inconsistency 文档欺骗
scripts/get_data.py:270 sends 'em_api_key' (lowercase) in the HTTP header, while SKILL.md consistently references the uppercase environment variable 'EM_API_KEY'. This is internally consistent (the env var name is correct) but the header key casing is undocumented.
"em_api_key": EM_API_KEY,
→ Document the exact HTTP header name used or align it with the conventional EM_API_KEY naming convention.
 scripts/get_data.py:270
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file reads/writes beyond creating output CSVs in output_dir (user-provided pa…
网络访问 READ READ ✓ 一致 scripts/get_data.py:263 — httpx.AsyncClient POST to ai-saas.eastmoney.com
命令执行 NONE NONE No subprocess or shell invocation found
环境变量 READ READ ✓ 一致 scripts/get_data.py:54 — os.environ.get('EM_API_KEY', '')
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
技能调用 NONE NONE No skill invocation
1 高危 3 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here"
SKILL.md:78
🔗
中危 外部 URL 外部 URL
https://ai.eastmoney.com/mxClaw
SKILL.md:31
🔗
中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/b/mcp/tool/selectSecurity
scripts/get_data.py:74

目录结构

2 文件 · 22.7 KB · 600 行
Python 1f · 432L Markdown 1f · 168L
├─ 📁 scripts
│ └─ 🐍 get_data.py Python 432L · 17.2 KB
└─ 📝 SKILL.md Markdown 168L · 5.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
httpx * pip Version not pinned; SKILL.md uses 'pip3 install httpx --user' without constraints

安全亮点

✓ No code obfuscation, base64 execution, or anti-analysis patterns detected
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No credential harvesting beyond the single declared EM_API_KEY used for its intended API
✓ No reverse shell, C2, or data exfiltration mechanisms
✓ No remote script execution (curl|bash, wget|sh)
✓ API key stays on-device and is only transmitted to the legitimate East Money endpoint
✓ Output files written only to user-specified output_dir with unique UUID suffixes