扫描报告
15 /100
research-analyst
Local stock/crypto analysis with 8-dimension scoring system using public APIs
Legitimate financial analysis tool with no malicious behavior detected. All capabilities align with documentation - read-only network access to public APIs, local storage only, no subprocess or credential access.
可以安装
This skill is safe to use. Monitor for any supply chain changes in PyPI dependencies and consider pinning to verified hashes for enhanced security.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Requirements.txt contains non-verifiable SHA256 hashes 供应链 | requirements.txt:1 |
| 低危 | Security verification commands reference non-existent patterns 文档欺骗 | skill.md:295 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | Local script execution, JSON portfolio storage |
| 网络访问 | READ | READ | ✓ 一致 | urllib/yfinance GET requests only - no POST |
| 命令执行 | NONE | NONE | — | No subprocess or os.system calls found |
| 环境变量 | NONE | READ | ✓ 一致 | Reads CLAWDBOT_STATE_DIR env var only |
| 技能调用 | NONE | NONE | — | No skill invocation detected |
| 剪贴板 | NONE | NONE | — | Not accessed |
| 浏览器 | NONE | NONE | — | Not accessed |
| 数据库 | NONE | NONE | — | Local JSON file only (not a DB) |
9 项发现
中危 外部 URL 外部 URL
https://img.shields.io/badge/ClawHub-Skill-blue README.md:5 中危 外部 URL 外部 URL
https://clawhub.ai README.md:5 中危 外部 URL 外部 URL
https://img.shields.io/badge/License-MIT--0-green README.md:6 中危 外部 URL 外部 URL
https://spdx.org/licenses/MIT-0.html README.md:6 中危 外部 URL 外部 URL
https://push2.eastmoney.com/api/qt/clist/get scripts/cn_market_rankings.py:4 中危 外部 URL 外部 URL
https://quote.eastmoney.com/center/gridlist.html scripts/cn_market_rankings.py:6 中危 外部 URL 外部 URL
https://hq.sinajs.cn/list= scripts/cn_stock_quotes.py:28 中危 外部 URL 外部 URL
https://finance.sina.com.cn scripts/cn_stock_quotes.py:33 提示 邮箱 邮箱地址
[email protected] SECURITY.md:260 目录结构
10 文件 · 162.0 KB · 5040 行 Python 5f · 3871L
Markdown 3f · 1010L
Shell 1f · 110L
Text 1f · 49L
├─
▾
scripts
│ ├─
cn_market_rankings.py
Python
│ ├─
cn_stock_quotes.py
Python
│ ├─
dividend_analyzer.py
Python
│ ├─
portfolio_manager.py
Python
│ └─
stock_analyzer.py
Python
├─
README.md
Markdown
├─
requirements.txt
Text
├─
SECURITY.md
Markdown
├─
skill.md
Markdown
└─
verify_install.sh
Shell
依赖分析 8 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
yfinance | 0.2.40 | pip | 否 | Industry-standard Yahoo Finance API wrapper |
requests | 2.31.0 | pip | 否 | HTTP library (not actually used - urllib used instead) |
pandas | 2.2.0 | pip | 否 | Standard data analysis library |
numpy | 1.26.3 | pip | 否 | Core numerical computing |
beautifulsoup4 | 4.12.3 | pip | 否 | HTML parsing (not heavily used) |
lxml | 5.1.0 | pip | 否 | XML/HTML processor (dependency) |
python-dateutil | 2.8.2 | pip | 否 | Date utilities (transitive) |
pytz | 2024.1 | pip | 否 | Timezone handling (transitive) |
安全亮点
✓ No subprocess, os.system, or shell execution calls found in any Python script
✓ No credential theft indicators - no API key harvesting, no environment variable iteration for secrets
✓ No data exfiltration - only read-only GET requests to public financial APIs
✓ No obfuscation detected - all code is readable Python, no base64-encoded payloads
✓ No prompt injection vectors identified
✓ No persistence mechanisms - no cron jobs, startup scripts, or backdoors
✓ Local storage only - portfolio data stays in ~/.clawdbot, not sent externally
✓ Standard, well-established PyPI dependencies with millions of downloads
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ Verified: All 5 scripts match their documented functionality