yahooclaw 安全扫描报告 — 低风险 | ClawSafe

18 /100

yahooclaw

Yahoo Finance API integration for OpenClaw - stock quotes, historical data, technical analysis

YahooClaw is a legitimate stock market data fetching skill with no malicious behavior detected. Minor concerns include documentation inconsistencies and unpinned dependencies.

技能名称yahooclaw

分析耗时47.1s

引擎pi

✓

可以安装

This skill is safe to use. Consider pinning dependency versions for production deployments. The hardcoded Alpha Vantage key in test files is a public demo key, not an active credential.

安全发现 3 项

严重性	安全发现	位置
低危	Documentation mentions SQLite but implementation uses in-memory caching 文档欺骗 SKILL.md claims 'Local SQLite database storage (optional caching)' but actual code uses only in-memory Map-based caching in APIManager.js `✅ File Access: Local SQLite database storage (optional caching)` → Update SKILL.md to reflect actual implementation (in-memory caching only) or implement the claimed SQLite feature	`SKILL.md:14`
低危	Dependencies not fully version pinned 供应链 package.json uses caret ranges allowing minor and patch version updates, which could introduce unexpected changes `"yahoo-finance2": "^2.11.3", "dotenv": "^17.3.1"` → Consider pinning exact versions for production: yahoo-finance2: '2.11.3', dotenv: '17.3.1'	`package.json:18`
提示	Test file contains Alpha Vantage demo API key 敏感访问 test-alpha.js contains hardcoded Alpha Vantage API key '9Z6PTPL7AB5M5DN3' which is a well-known public demo key `apiKey: '9Z6PTPL7AB5M5DN3'` → This is Alpha Vantage's public demo key - safe for testing but should not be confused with active credential theft	`test-alpha.js:10`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	Uses fetch() to yahoo-finance2 and alphavantage.co
文件系统	`WRITE`	`NONE`	✓ 一致	SKILL.md claims SQLite storage, but code uses in-memory Map only
命令执行	`NONE`	`NONE`	—	No child_process, exec, or shell commands found
环境变量	`READ`	`READ`	✓ 一致	Only reads ALPHA_VANTAGE_API_KEY
技能调用	`NONE`	`NONE`	—	No skill invocation chain detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`WRITE`	`NONE`	✓ 一致	Declared SQLite, but only in-memory caching implemented

1 高危 13 项发现

🔑

高危 API 密钥疑似硬编码凭证

apiKey: '9Z6PTPL7AB5M5DN3'

test-alpha.js:10

🔗

中危外部 URL 外部 URL

https://img.shields.io/github/v/tag/leohuang8688/yahooclaw?label=version&color=green

README-CN.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README-CN.md:6

🔗

中危外部 URL 外部 URL

https://opensource.org/licenses/MIT

README-CN.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/OpenClaw-Skill-blue

README-CN.md:7

🔗

中危外部 URL 外部 URL

https://finance.yahoo.com/news/...

README-CN.md:262

🔗

中危外部 URL 外部 URL

https://finance.yahoo.com/

README-CN.md:437

🔗

中危外部 URL 外部 URL

https://www.alphavantage.co/

README-CN.md:439

🔗

中危外部 URL 外部 URL

https://discord.gg/clawd

README-CN.md:449

🔗

中危外部 URL 外部 URL

https://www.alphavantage.co/support/#api-key

README.md:59

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai/

SKILL.md:153

🔗

中危外部 URL 外部 URL

https://www.alphavantage.co/support/

docs/API-CONFIGURATION.md:281

🔗

中危外部 URL 外部 URL

https://www.alphavantage.co/query

src/api/AlphaVantage.js:14

目录结构

22 文件 · 92.4 KB · 3720 行

JavaScript 14f · 2012L Markdown 7f · 1671L JSON 1f · 37L

├─ ▾ 📁 docs

│ ├─ 📝 API-CONFIGURATION.md Markdown 286L · 6.2 KB

│ └─ 📝 USAGE-SCENARIOS.md Markdown 373L · 7.5 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 api

│ │ ├─ 📜 AlphaVantage.js JavaScript 264L · 7.6 KB

│ │ └─ 📜 APIManager.js JavaScript 204L · 4.9 KB

│ ├─ ▾ 📁 modules

│ │ ├─ 📜 History.js JavaScript 113L · 2.4 KB

│ │ ├─ 📜 News.js JavaScript 169L · 4.5 KB

│ │ ├─ 📜 Quote.js JavaScript 81L · 2.3 KB

│ │ ├─ 📜 Technical.js JavaScript 389L · 10.8 KB

│ │ └─ 📜 YahooFinanceAdapter.js JavaScript 177L · 4.0 KB

│ └─ 📜 index.js JavaScript 85L · 2.0 KB

├─ ▾ 📁 test

│ └─ 📜 test-modules.js JavaScript 134L · 3.9 KB

├─ 📜 demo.js JavaScript 45L · 1.4 KB

├─ 📋 package.json JSON 37L · 846 B

├─ 📝 README-CN.md Markdown 453L · 10.9 KB

├─ 📝 README.md Markdown 139L · 3.3 KB

├─ 📝 SECURITY.md Markdown 69L · 1.4 KB

├─ 📝 SKILL.md Markdown 178L · 4.3 KB

├─ 📝 TEST_REPORT.md Markdown 173L · 3.4 KB

├─ 📜 test-alpha.js JavaScript 40L · 1.1 KB

├─ 📜 test-full.js JavaScript 159L · 4.9 KB

├─ 📜 test-integration.js JavaScript 109L · 3.2 KB

└─ 📜 test-tsla.js JavaScript 43L · 1.5 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`yahoo-finance2`	`^2.11.3`	npm	否	Version range allows minor/patch updates
`dotenv`	`^17.3.1`	npm	否	Version range allows minor/patch updates

安全亮点

✓ No eval(), exec(), or child_process usage found

✓ No base64 encoding or obfuscation detected

✓ No credential exfiltration or C2 communication

✓ No reverse shell or remote code execution

✓ All network requests use HTTPS

✓ Input validation implemented in API calls

✓ Error handling is comprehensive

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No hidden functionality discovered

✓ Open source and auditable codebase

✓ Rate limiting implemented in API calls