扫描报告
5 /100
mx_finance_search
基于东方财富数据库的金融资讯搜索工具,支持自然语言查询新闻、公告、研报等
Legitimate financial news search skill that queries East Money API with proper credential handling and no malicious indicators.
可以安装
Skill is safe to use. Ensure EM_API_KEY is obtained from the official East Money portal.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | scripts/get_data.py:73 - POST to https://ai-saas.eastmoney.com |
| 文件系统 | WRITE | WRITE | ✓ 一致 | scripts/get_data.py:165 - output_path.write_text(content) |
| 环境变量 | READ | READ | ✓ 一致 | scripts/get_data.py:52 - os.environ.get('EM_API_KEY') |
| 命令执行 | NONE | NONE | — | No subprocess/shell execution detected |
1 高危 3 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:61 中危 外部 URL 外部 URL
https://ai.eastmoney.com/mxClaw SKILL.md:25 中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchNews scripts/get_data.py:73 目录结构
2 文件 · 16.7 KB · 456 行 Python 1f · 298L
Markdown 1f · 158L
├─
▾
scripts
│ └─
get_data.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ Only accesses EM_API_KEY environment variable for authentication
✓ No credential harvesting or exfiltration
✓ No shell command execution
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No base64/eval obfuscation patterns
✓ No remote script execution (curl|bash, wget|sh)
✓ Uses standard urllib library for HTTP requests
✓ Generates unique user IDs per request (privacy-preserving)
✓ Clear error handling without information leakage
✓ Code and documentation are consistent