mx_stocks_screener 安全扫描报告 — 低风险 | ClawSafe

15 /100

mx_stocks_screener

妙想大模型选股工具 - Natural language stock/ETF/fund screener using East Money API

Legitimate stock screener tool using East Money API with proper credential handling, though minor documentation gap exists around declared vs inferred capabilities.

技能名称mx_stocks_screener

分析耗时32.2s

引擎pi

✓

可以安装

Add explicit documentation of filesystem:WRITE and network:WRITE capabilities in SKILL.md metadata. The 'your_api_key_here' placeholder in docs is a documentation example only and poses no risk.

安全发现 3 项

严重性	安全发现	位置
低危	Undeclared network capability The code performs HTTP POST requests to ai-saas.eastmoney.com but network access is not declared in SKILL.md metadata. However, this is the core functionality of the skill and the endpoint is East Money's legitimate financial data API. `result = await client.post(MCP_URL, json=meta, headers={'em_api_key': EM_API_KEY})` → Add network:WRITE to allowed-tools declaration in _meta.json or SKILL.md metadata	`scripts/get_data.py:271`
低危	Undeclared filesystem write capability The code writes CSV and description files to disk but filesystem:WRITE is not declared in metadata. This is necessary for the skill's output functionality. `with open(csv_path, 'w', newline='', encoding='utf-8') as f:` → Document that the skill writes output files to configurable output_dir	`scripts/get_data.py:219`
提示	Documentation placeholder key SKILL.md line 78 shows 'your_api_key_here' as an example value. This is a documentation placeholder, not an actual hardcoded credential - the code correctly reads from environment variable EM_API_KEY. `export EM_API_KEY="your_api_key_here"` → No action needed - this is standard documentation practice	`SKILL.md:78`

资源类型	声明权限	推断权限	状态	证据
环境变量	`READ`	`READ`	✓ 一致	scripts/get_data.py:50 os.environ.get('EM_API_KEY')
网络访问	`NONE`	`WRITE`	✓ 一致	scripts/get_data.py:271 client.post(MCP_URL, headers={'em_api_key': EM_API_KEY})
文件系统	`NONE`	`WRITE`	✓ 一致	scripts/get_data.py:219 csv_path.write_text() and csv.DictWriter
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No database access found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
技能调用	`NONE`	`NONE`	—	No skill invocation found

1 高危 3 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:78

🔗

中危外部 URL 外部 URL

https://ai.eastmoney.com/mxClaw

SKILL.md:31

🔗

中危外部 URL 外部 URL

https://ai-saas.eastmoney.com/proxy/b/mcp/tool/selectSecurity

scripts/get_data.py:74

目录结构

2 文件 · 22.1 KB · 600 行

Python 1f · 432L Markdown 1f · 168L

├─ ▾ 📁 scripts

│ └─ 🐍 get_data.py Python 432L · 16.8 KB

└─ 📝 SKILL.md Markdown 168L · 5.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`httpx`	`*`	pip	否	Version not pinned but httpx is a reputable library with active security maintenance

安全亮点

✓ Credential properly handled via environment variable (EM_API_KEY), never hardcoded

✓ API key only sent to East Money's official domain (eastmoney.com)

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No shell execution, no base64/encoded payloads, no eval()

✓ No data exfiltration or suspicious outbound connections

✓ Clean async HTTP client (httpx) with timeout configured

✓ No dependency vulnerabilities flagged for httpx