Scan Report
0 /100
industry_research_report
依托东方财富数据库,为指定行业生成深度研究报告
A legitimate industry research report generation skill that uses httpx to call the East Money (东方财富) financial API, saves base64-decoded PDF/DOCX output to disk, and requires only an EM_API_KEY environment variable.
Safe to install
No security concerns identified. The skill performs exactly as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | scripts/get_data.py:157 — httpx POST to ai-saas.eastmoney.com |
| Filesystem | WRITE | WRITE | ✓ Aligned | scripts/get_data.py:94 — writes base64-decoded PDF/DOCX files; declared in SKILL… |
| Environment | READ | READ | ✓ Aligned | scripts/get_data.py:66 — reads EM_API_KEY from os.environ; declared in SKILL.md |
| Shell | NONE | NONE | — | No subprocess/shell invocation found |
1 High 2 findings
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:44 Medium External URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/industry/research scripts/get_data.py:75 File Tree
2 files · 14.0 KB · 345 lines Python 1f · 217L
Markdown 1f · 128L
├─
▾
scripts
│ └─
get_data.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
httpx | unpinned | pip | No | Version not pinned in SKILL.md; consider pinning to a known stable release |
Security Positives
✓ No shell execution or subprocess usage — pure Python with httpx and stdlib
✓ API key loaded exclusively from environment variable (EM_API_KEY), never hardcoded in code
✓ Network calls go to a well-known legitimate financial API endpoint (East Money/eastmoney.com)
✓ File writes are limited to saving PDF and DOCX reports in a predictable output directory
✓ Filename sanitization implemented (_safe_filename) to prevent path traversal
✓ Base64 decoding is used for binary file storage, a standard and safe approach
✓ DOCX text extraction is a local fallback with no network activity
✓ No iteration over environment variables, no credential harvesting
✓ No base64-to-shell, no curl|bash, no direct IP calls, no eval patterns
✓ Skill behavior is fully declared in SKILL.md with clear doc-to-code alignment