Stock Historical Data Query / 股票历史行情查询 Security Report — Trusted | ClawSafe

5 /100

Stock Historical Data Query / 股票历史行情查询

查询股票历史日线数据、K线及走势分析，基于极速数据(JisuAPI)平台

Clean, well-documented stock history query skill that only makes API calls to api.jisuapi.com using the user-provided JISU_API_KEY for declared stock data functionality.

Skill NameStock Historical Data Query / 股票历史行情查询

Duration24.5s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Findings 2 items

Severity	Finding	Location
Low	API key placeholder in documentation SKILL.md line 25 shows 'your_appkey_here' as a placeholder example. This is standard documentation practice and not a real credential. `export JISU_API_KEY="your_appkey_here"` → No action needed. Consider labeling it more clearly as a placeholder.	`SKILL.md:25`
Low	requests library version not pinned The skill uses the requests library without a version pin in any dependency file. `import requests` → Add a requirements.txt pinning requests>=2.28.0 for reproducibility.	`stockhistory.py:10`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	stockhistory.py:31 — requests.get(url, params=all_params, timeout=10)
Environment	`READ`	`READ`	✓ Aligned	stockhistory.py:113 — os.getenv('JISU_API_KEY')
Filesystem	`NONE`	`NONE`	—	No file operations — only stdout printing
Shell	`NONE`	`NONE`	—	No subprocess or shell execution

1 High 4 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/stockhistory/

SKILL.md:18

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/stockhistory

stockhistory.py:14

File Tree

2 files · 11.5 KB · 342 lines

Markdown 1f · 203L Python 1f · 139L

├─ 📝 SKILL.md Markdown 203L · 7.2 KB

└─ 🐍 stockhistory.py Python 139L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	import	No	Used for HTTP API calls; version not pinned — recommend adding requirements.txt

Security Positives

✓ No subprocess, shell, or system command execution

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No data exfiltration or credential theft

✓ No base64, eval, or obfuscated code patterns

✓ No hidden functionality — code matches documented behavior exactly

✓ No reverse shell, C2, or external IP callbacks

✓ API key is only used to authenticate with the declared JisuAPI endpoint

✓ Input validation present for required parameters (code, classid)

✓ Error handling covers network failures, non-200 responses, and invalid JSON

✓ Clean, focused implementation with no dependency on suspicious libraries

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives