mx_stocks_screener Security Report — Low Risk | ClawSafe

15 /100

mx_stocks_screener

妙想大模型选股工具 - Natural language stock/ETF/fund screener using East Money API

Legitimate stock screener tool using East Money API with proper credential handling, though minor documentation gap exists around declared vs inferred capabilities.

Skill Namemx_stocks_screener

Duration32.2s

Enginepi

✓

Safe to install

Add explicit documentation of filesystem:WRITE and network:WRITE capabilities in SKILL.md metadata. The 'your_api_key_here' placeholder in docs is a documentation example only and poses no risk.

Findings 3 items

Severity	Finding	Location
Low	Undeclared network capability The code performs HTTP POST requests to ai-saas.eastmoney.com but network access is not declared in SKILL.md metadata. However, this is the core functionality of the skill and the endpoint is East Money's legitimate financial data API. `result = await client.post(MCP_URL, json=meta, headers={'em_api_key': EM_API_KEY})` → Add network:WRITE to allowed-tools declaration in _meta.json or SKILL.md metadata	`scripts/get_data.py:271`
Low	Undeclared filesystem write capability The code writes CSV and description files to disk but filesystem:WRITE is not declared in metadata. This is necessary for the skill's output functionality. `with open(csv_path, 'w', newline='', encoding='utf-8') as f:` → Document that the skill writes output files to configurable output_dir	`scripts/get_data.py:219`
Info	Documentation placeholder key SKILL.md line 78 shows 'your_api_key_here' as an example value. This is a documentation placeholder, not an actual hardcoded credential - the code correctly reads from environment variable EM_API_KEY. `export EM_API_KEY="your_api_key_here"` → No action needed - this is standard documentation practice	`SKILL.md:78`

Resource	Declared	Inferred	Status	Evidence
Environment	`READ`	`READ`	✓ Aligned	scripts/get_data.py:50 os.environ.get('EM_API_KEY')
Network	`NONE`	`WRITE`	✓ Aligned	scripts/get_data.py:271 client.post(MCP_URL, headers={'em_api_key': EM_API_KEY})
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/get_data.py:219 csv_path.write_text() and csv.DictWriter
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No database access found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:78

🔗

Medium External URL 外部 URL

https://ai.eastmoney.com/mxClaw

SKILL.md:31

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/b/mcp/tool/selectSecurity

scripts/get_data.py:74

File Tree

2 files · 22.1 KB · 600 lines

Python 1f · 432L Markdown 1f · 168L

├─ ▾ 📁 scripts

│ └─ 🐍 get_data.py Python 432L · 16.8 KB

└─ 📝 SKILL.md Markdown 168L · 5.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`*`	pip	No	Version not pinned but httpx is a reputable library with active security maintenance

Security Positives

✓ Credential properly handled via environment variable (EM_API_KEY), never hardcoded

✓ API key only sent to East Money's official domain (eastmoney.com)

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No shell execution, no base64/encoded payloads, no eval()

✓ No data exfiltration or suspicious outbound connections

✓ Clean async HTTP client (httpx) with timeout configured

✓ No dependency vulnerabilities flagged for httpx

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives