安全决策报告
stocktoday-mcp
自定义后端 `https://tushare.citydata.club/` 替代官方 Tushare API,所有 API 调用(包含 token)均发往该未知第三方服务器,构成数据外传风险;无版本锁定的 npm 依赖存在供应链风险。
最直接的威胁证据
01
用户配置 STOCKTODAY_TOKEN 环境变量 初始入口 · SKILL.md
02
MCP server 以 STDIO 模式启动并注册 155 个工具 权限提升 · src/index.ts
03
用户调用任意 tool,token + 查询参数 POST 到未知第三方 https://tushare.citydata.club/ 最终危害 · src/index.ts
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 108 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 0 项高危或严重发现。
复核
依赖与供应链卫生
发现 3 项需要关注的依赖或供应链线索。
攻击链
01
用户配置 STOCKTODAY_TOKEN 环境变量
初始入口 · SKILL.md:29
02
MCP server 以 STDIO 模式启动并注册 155 个工具
权限提升 · src/index.ts:201
03
用户调用任意 tool,token + 查询参数 POST 到未知第三方 https://tushare.citydata.club/
最终危害 · src/index.ts:13
风险分是怎么被拉高的
数据外传至未知第三方 +25
所有 API 调用(含 token 和查询参数)均 POST 到自定义后端 tushare.citydata.club,而非官方 Tushare
依赖无版本锁定 +10
axios ^1.6.0 无版本锁定,pip 中无风险
环境变量读取 +5
读取 STOCKTODAY_TOKEN/TUSHARE_TOKEN,属于声明范围内的正常凭证使用
自定义后端可控性不明 +5
后端运营方和隐私政策未知,SKILL.md 明确标注但意图不明确
最关键的证据
中危 数据外泄
凭证及查询数据发往未知第三方服务器
代码将 STOCKTODAY_TOKEN 和用户查询参数以 POST application/x-www-form-urlencoded 形式发送到 https://tushare.citydata.club/,而非 Tushare 官方 API。所有请求参数(含股票代码、日期范围等)均被暴露给该自定义后端,SKILL.md 仅以'使用自定义后端服务'一笔带过,未说明后端运营方、数据留存政策及合规性。
src/index.ts:13 明确披露自定义后端的运营方、数据处理政策和隐私声明;或替换为官方 Tushare API 端点。
中危 供应链
axios 无版本锁定存在依赖供应链风险
package.json 中 axios 依赖声明为 ^1.6.0,允许自动升级到 1.x 最新版。axios 曾有 SSRF 和 CRLF 注入等历史漏洞(CVE-2019-10742 等),无版本锁定意味着自动引入含有漏洞的新版本。
package.json:11 锁定版本:"axios": "1.7.4" 或更高安全版本,并在 package-lock.json 中确认实际安装版本。
低危 文档欺骗
文档未声明 network:WRITE 权限
SKILL.md 未声明该 skill 需要向外部服务器发送 HTTP 请求的能力,仅说明'调用 Tushare API'。代码实际通过 fetch 主动 POST 数据到第三方,权限声明不完整。
SKILL.md:1 在 allowed-tools 或权限声明中明确:network:WRITE,用于向 tushare.citydata.club 发送 API 请求。
低危 供应链
@modelcontextprotocol/sdk 依赖官方库但无版本锁定
MCP SDK 声明为 ^1.0.0,虽为官方包但同样无版本锁定,存在供应链风险。
package.json:10 锁定 SDK 版本并定期更新。
声明能力 vs 实际能力
网络访问 阻止
声明 NONE
→ 推断 WRITE
src/index.ts:6,BASE_URL外部API调用 环境变量 阻止
声明 NONE
→ 推断 READ
src/index.ts:5,process.env读取token 文件系统 通过
声明 NONE
→ 推断 NONE
无直接文件系统操作 可疑产物与外联
中危 外部 URL
https://tushare.citydata.club/ SKILL.md:38
中危 外部 URL
https://registry.npmmirror.com/@hono/node-server/-/node-server-1.19.11.tgz package-lock.json:22
中危 外部 URL
https://registry.npmmirror.com/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz package-lock.json:34
中危 外部 URL
https://registry.npmmirror.com/@types/node/-/node-20.19.37.tgz package-lock.json:74
中危 外部 URL
https://registry.npmmirror.com/accepts/-/accepts-2.0.0.tgz package-lock.json:84
中危 外部 URL
https://registry.npmmirror.com/ajv/-/ajv-8.18.0.tgz package-lock.json:97
中危 外部 URL
https://registry.npmmirror.com/ajv-formats/-/ajv-formats-3.0.1.tgz package-lock.json:113
中危 外部 URL
https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz package-lock.json:130
中危 外部 URL
https://registry.npmmirror.com/axios/-/axios-1.13.6.tgz package-lock.json:136
中危 外部 URL
https://registry.npmmirror.com/body-parser/-/body-parser-2.2.2.tgz package-lock.json:147
中危 外部 URL
https://opencollective.com/express package-lock.json:166
中危 外部 URL
https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz package-lock.json:171
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @modelcontextprotocol/sdk | ^1.0.0 | npm | 否 | 无版本锁定 |
| axios | ^1.6.0 | npm | 否 | 无版本锁定;历史CVE需关注 |
| typescript | ^5.0.0 | npm | 否 | devDependencies 无版本锁定 |
文件构成
10 个文件 · 2912 行
JSON 3 个文件 · 1346 行JavaScript 3 个文件 · 945 行TypeScript 1 个文件 · 274 行Markdown 2 个文件 · 215 行Python 1 个文件 · 132 行
需关注文件 · 4
package-lock.json https://registry.npmmirror.com/@hono/node-server/-/node-server-1.19.11.tgz · https://registry.npmmirror.com/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz · https://registry.npmmirror.com/@types/node/-/node-20.19.37.tgz · https://registry.npmmirror.com/accepts/-/accepts-2.0.0.tgz · https://registry.npmmirror.com/ajv/-/ajv-8.18.0.tgz · https://registry.npmmirror.com/ajv-formats/-/ajv-formats-3.0.1.tgz · https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz · https://registry.npmmirror.com/axios/-/axios-1.13.6.tgz · https://registry.npmmirror.com/body-parser/-/body-parser-2.2.2.tgz · https://opencollective.com/express · https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz · https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz · https://registry.npmmirror.com/call-bound/-/call-bound-1.0.4.tgz · https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz · https://registry.npmmirror.com/content-disposition/-/content-disposition-1.0.1.tgz · https://registry.npmmirror.com/content-type/-/content-type-1.0.5.tgz · https://registry.npmmirror.com/cookie/-/cookie-0.7.2.tgz · https://registry.npmmirror.com/cookie-signature/-/cookie-signature-1.2.2.tgz · https://registry.npmmirror.com/cors/-/cors-2.8.6.tgz · https://registry.npmmirror.com/cross-spawn/-/cross-spawn-7.0.6.tgz · https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz · https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz · https://registry.npmmirror.com/depd/-/depd-2.0.0.tgz · https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz · https://registry.npmmirror.com/ee-first/-/ee-first-1.1.1.tgz · https://registry.npmmirror.com/encodeurl/-/encodeurl-2.0.0.tgz · https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz · https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz · https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz · https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz · https://registry.npmmirror.com/escape-html/-/escape-html-1.0.3.tgz · https://registry.npmmirror.com/etag/-/etag-1.8.1.tgz · https://registry.npmmirror.com/eventsource/-/eventsource-3.0.7.tgz · https://registry.npmmirror.com/eventsource-parser/-/eventsource-parser-3.0.6.tgz · https://registry.npmmirror.com/express/-/express-5.2.1.tgz · https://registry.npmmirror.com/express-rate-limit/-/express-rate-limit-8.3.1.tgz · https://registry.npmmirror.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz · https://registry.npmmirror.com/fast-uri/-/fast-uri-3.1.0.tgz · https://opencollective.com/fastify · https://registry.npmmirror.com/finalhandler/-/finalhandler-2.1.1.tgz · https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz · https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz · https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz · https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz · https://registry.npmmirror.com/forwarded/-/forwarded-0.2.0.tgz · https://registry.npmmirror.com/fresh/-/fresh-2.0.0.tgz · https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz · https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz · https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz · https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz · https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz · https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz · https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz · https://registry.npmmirror.com/hono/-/hono-4.12.7.tgz · https://registry.npmmirror.com/http-errors/-/http-errors-2.0.1.tgz · https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.7.2.tgz · https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz · https://registry.npmmirror.com/ip-address/-/ip-address-10.1.0.tgz · https://registry.npmmirror.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz · https://registry.npmmirror.com/is-promise/-/is-promise-4.0.0.tgz · https://registry.npmmirror.com/isexe/-/isexe-2.0.0.tgz · https://registry.npmmirror.com/jose/-/jose-6.2.1.tgz · https://registry.npmmirror.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz · https://registry.npmmirror.com/json-schema-typed/-/json-schema-typed-8.0.2.tgz · https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz · https://registry.npmmirror.com/media-typer/-/media-typer-1.1.0.tgz · https://registry.npmmirror.com/merge-descriptors/-/merge-descriptors-2.0.0.tgz · https://registry.npmmirror.com/mime-db/-/mime-db-1.54.0.tgz · https://registry.npmmirror.com/mime-types/-/mime-types-3.0.2.tgz · https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz · https://registry.npmmirror.com/negotiator/-/negotiator-1.0.0.tgz · https://registry.npmmirror.com/object-assign/-/object-assign-4.1.1.tgz · https://registry.npmmirror.com/object-inspect/-/object-inspect-1.13.4.tgz · https://registry.npmmirror.com/on-finished/-/on-finished-2.4.1.tgz · https://registry.npmmirror.com/once/-/once-1.4.0.tgz · https://registry.npmmirror.com/parseurl/-/parseurl-1.3.3.tgz · https://registry.npmmirror.com/path-key/-/path-key-3.1.1.tgz · https://registry.npmmirror.com/path-to-regexp/-/path-to-regexp-8.3.0.tgz · https://registry.npmmirror.com/pkce-challenge/-/pkce-challenge-5.0.1.tgz · https://registry.npmmirror.com/proxy-addr/-/proxy-addr-2.0.7.tgz · https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz · https://registry.npmmirror.com/qs/-/qs-6.15.0.tgz · https://registry.npmmirror.com/range-parser/-/range-parser-1.2.1.tgz · https://registry.npmmirror.com/raw-body/-/raw-body-3.0.2.tgz · https://registry.npmmirror.com/require-from-string/-/require-from-string-2.0.2.tgz · https://registry.npmmirror.com/router/-/router-2.2.0.tgz · https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz · https://registry.npmmirror.com/send/-/send-1.2.1.tgz · https://registry.npmmirror.com/serve-static/-/serve-static-2.2.1.tgz · https://registry.npmmirror.com/setprototypeof/-/setprototypeof-1.2.0.tgz · https://registry.npmmirror.com/shebang-command/-/shebang-command-2.0.0.tgz · https://registry.npmmirror.com/shebang-regex/-/shebang-regex-3.0.0.tgz · https://registry.npmmirror.com/side-channel/-/side-channel-1.1.0.tgz · https://registry.npmmirror.com/side-channel-list/-/side-channel-list-1.0.0.tgz · https://registry.npmmirror.com/side-channel-map/-/side-channel-map-1.0.1.tgz · https://registry.npmmirror.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz · https://registry.npmmirror.com/statuses/-/statuses-2.0.2.tgz · https://registry.npmmirror.com/toidentifier/-/toidentifier-1.0.1.tgz · https://registry.npmmirror.com/type-is/-/type-is-2.0.1.tgz · https://registry.npmmirror.com/typescript/-/typescript-5.9.3.tgz · https://registry.npmmirror.com/undici-types/-/undici-types-6.21.0.tgz · https://registry.npmmirror.com/unpipe/-/unpipe-1.0.0.tgz · https://registry.npmmirror.com/vary/-/vary-1.1.2.tgz · https://registry.npmmirror.com/which/-/which-2.0.2.tgz · https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz · https://registry.npmmirror.com/zod/-/zod-4.3.6.tgz · https://registry.npmmirror.com/zod-to-json-schema/-/zod-to-json-schema-3.25.1.tgz
src/index.ts 凭证及查询数据发往未知第三方服务器
SKILL.md 文档未声明 network:WRITE 权限 · https://tushare.citydata.club/
package.json axios 无版本锁定存在依赖供应链风险 · @modelcontextprotocol/sdk 依赖官方库但无版本锁定
其他文件 · index.js · index_generated.js · test_all.js · README.md · generate_mcp.py · tsconfig.json
安全亮点
代码逻辑清晰,155个工具均为标准股票数据查询,无 RCE、文件写入、敏感路径访问等危险操作
token 仅用于向 API 认证,未被外传或打印到日志
无 Base64 编码、eval、subprocess 等高危操作
无 HTML 注释、提示词注入等可疑内容
无凭证收割、环境变量遍历等恶意行为