中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:2 天前 重新扫描
20 /100
akshare
Use AKShare for Chinese market and macro-finance data via Python. Fetches public A股/港股/美股/ETF/基金/指数/宏观/利率/债券/期货/商品/分红/财务 data.
Legitimate financial data retrieval tool (AKShare wrapper) with documented venv bootstrapping and a Python eval() expression runner; the eval() with full builtins is a minor concern but is core to the documented use case with no evidence of abuse.
技能名称akshare
分析耗时48.7s
引擎pi
可以安装
Accept for use. Monitor the venv path ($HOME/.openclaw/.venvs/akshare) for unexpected packages. Consider restricting eval builtins if future versions need tighter isolation.

安全发现 3 项

严重性 安全发现 位置
中危
Python eval() with full builtins exposed
scripts/akshare_eval.py passes __builtins__ directly to eval(), granting access to dangerous functions such as __import__, open, compile, and built-in constructors. While the expression namespace is intentionally scoped (only ak/pd/json available), a malicious expression could still invoke builtins to read files, enumerate modules, or escalate behavior within the process.
result = eval(args.expr, {'__builtins__': __builtins__}, env)
→ Restrict __builtins__ to a minimal whitelist (e.g., only safe built-in functions) or sandbox the eval in a subprocess with seccomp. Document this trade-off in SKILL.md.
 scripts/akshare_eval.py:28
低危
Unversioned pip install of akshare
The bootstrap script installs 'akshare' from PyPI without a version pin. This creates a minor supply-chain risk where a future breaking or compromised release could affect behavior.
"$VENV/bin/pip" install --upgrade akshare
→ Pin to a known-good version, e.g. 'akshare==1.13.0', and update periodically through a controlled release process.
 scripts/bootstrap_akshare_env.sh:8
低危
External social links not verified
SKILL.md references https://github.com/Zack995 and https://x.com/btc_cczzc as the official homepage and maintainer. These point to a non-standard AKShare fork (the canonical repo is akfamily/akshare). The skill bundles its own bootstrap rather than relying on a standard pip install of the published package.
GitHub: https://github.com/Zack995
→ Verify the maintainer's identity and ensure the bundled AKShare fork is the official upstream or a trusted modification. Prefer installing the standard PyPI package directly.
 SKILL.md:91
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md documents bash bootstrap; scripts/bootstrap_akshare_env.sh creates venv…
文件系统 WRITE WRITE ✓ 一致 bootstrap_akshare_env.sh writes to $HOME/.openclaw/.venvs/akshare
网络访问 NONE READ ✓ 一致 AKShare fetches public financial data from Chinese market APIs; this is the core…
技能调用 NONE NONE No skill-invocation patterns detected
1 项发现
🔗
中危 外部 URL 外部 URL
https://x.com/btc_cczzc
SKILL.md:92

目录结构

4 文件 · 5.6 KB · 214 行
Markdown 2f · 151L Python 1f · 51L Shell 1f · 12L
├─ 📁 references
│ └─ 📝 common-recipes.md Markdown 59L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 akshare_eval.py Python 51L · 1.5 KB
│ └─ 🔧 bootstrap_akshare_env.sh Shell 12L · 338 B
└─ 📝 SKILL.md Markdown 92L · 2.6 KB

依赖分析 2 项

包名版本来源已知漏洞备注
akshare * pip (PyPI) No version pinned; bootstrap installs latest from PyPI
pandas * akshare dependency Transitive dependency, installed with akshare

安全亮点

✓ No evidence of credential harvesting, key enumeration, or os.environ iteration
✓ No base64 decode/eval chains, no curl|bash or wget|sh remote execution
✓ No hidden instructions in comments or HTML
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, or .env
✓ No network connections to external IPs outside of legitimate AKShare API calls
✓ The skill's core functionality (financial data retrieval) is straightforward and auditable