中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
A股-股市分析和投资顾问(安西军项目)
中国A股/港股市场股票数据查询与分析,通过TAX-API-Key调用只读接口获取行情、基本面、指数及文本数据
A legitimate A-share stock market data query skill using a single API key for read-only GET requests against a documented endpoint. No scripts, no local execution, no credential exfiltration, and no hidden functionality.
Skill NameA股-股市分析和投资顾问(安西军项目)
Duration27.5s
Enginepi
Safe to install
No action needed. The skill is safe to use as described. Ensure the TAX_API_KEY credential is stored securely in the platform's secret manager and not exposed in logs.
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md metadata: only GET to https://tax.yyyou.top/stocks/*
Environment READ READ ✓ Aligned SKILL.md metadata: requires.env TAX_API_KEY
Filesystem NONE NONE No file operations in any document
Shell NONE NONE No shell commands in any document
Skill Invoke NONE NONE No cross-skill invocation declared
Clipboard NONE NONE No clipboard access mentioned
Browser NONE NONE No browser automation declared
Database NONE NONE No database access declared
5 findings
🔗
Medium External URL 外部 URL
https://tax.yyyou.top/**
README.MD:16
🔗
Medium External URL 外部 URL
https://tax.yyyou.top/
README.MD:138
🔗
Medium External URL 外部 URL
https://tax.yyyou.top/stocks/
SKILL.md:59
🔗
Medium External URL 外部 URL
https://tax.yyyou.top/stocks/...
SKILL_REFERENCE.MD:27
🔗
Medium External URL 外部 URL
https://tax.yyyou.top
SKILL_REFERENCE.MD:47

File Tree

4 files · 22.0 KB · 614 lines
Markdown 4f · 614L
├─ 📝 CHANGELOG.MD Markdown 53L · 894 B
├─ 📝 README.MD Markdown 156L · 4.3 KB
├─ 📝 SKILL_REFERENCE.MD Markdown 271L · 11.9 KB
└─ 📝 SKILL.md Markdown 134L · 4.9 KB

Security Positives

✓ No scripts or executable code files present — behavior is entirely declarative
✓ Only GET requests to a single documented domain (tax.yyyou.top); no arbitrary network targets
✓ TAX_API_KEY is injected via platform environment variable and never exposed in logs or chat
✓ Skill explicitly disclaims trading capability, local file storage, and local credential access
✓ Remote template injection (Section 2.1.5) has a documented two-grade security model with clear handling rules
✓ No obfuscation, base64 payloads, or anti-analysis techniques observed
✓ No supply chain risk — no dependencies or package files
✓ All capability declarations in metadata match the documented behavior