中文 EN

扫描报告

扫描新文件

可信 — 风险评分 0/100
上次扫描:2 天前 重新扫描
0 /100
industry_research_report
依托东方财富数据库,为指定行业生成深度研究报告
A legitimate industry research report generation skill that uses httpx to call the East Money (东方财富) financial API, saves base64-decoded PDF/DOCX output to disk, and requires only an EM_API_KEY environment variable.
技能名称industry_research_report
分析耗时28.3s
引擎pi
可以安装
No security concerns identified. The skill performs exactly as documented.
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 scripts/get_data.py:157 — httpx POST to ai-saas.eastmoney.com
文件系统 WRITE WRITE ✓ 一致 scripts/get_data.py:94 — writes base64-decoded PDF/DOCX files; declared in SKILL…
环境变量 READ READ ✓ 一致 scripts/get_data.py:66 — reads EM_API_KEY from os.environ; declared in SKILL.md
命令执行 NONE NONE No subprocess/shell invocation found
1 高危 2 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here"
SKILL.md:44
🔗
中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/write/industry/research
scripts/get_data.py:75

目录结构

2 文件 · 14.0 KB · 345 行
Python 1f · 217L Markdown 1f · 128L
├─ 📁 scripts
│ └─ 🐍 get_data.py Python 217L · 9.9 KB
└─ 📝 SKILL.md Markdown 128L · 4.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
httpx unpinned pip Version not pinned in SKILL.md; consider pinning to a known stable release

安全亮点

✓ No shell execution or subprocess usage — pure Python with httpx and stdlib
✓ API key loaded exclusively from environment variable (EM_API_KEY), never hardcoded in code
✓ Network calls go to a well-known legitimate financial API endpoint (East Money/eastmoney.com)
✓ File writes are limited to saving PDF and DOCX reports in a predictable output directory
✓ Filename sanitization implemented (_safe_filename) to prevent path traversal
✓ Base64 decoding is used for binary file storage, a standard and safe approach
✓ DOCX text extraction is a local fallback with no network activity
✓ No iteration over environment variables, no credential harvesting
✓ No base64-to-shell, no curl|bash, no direct IP calls, no eval patterns
✓ Skill behavior is fully declared in SKILL.md with clear doc-to-code alignment