Scan Report
45 /100
oracle-report
A股收盘日报生成器,包含大盘指数、情绪资金、全球市场数据
Skill contains multiple hardcoded API credentials that should use environment variables, creating significant credential exposure risk through source code visibility and process argument logging.
Use with caution
Move all API keys from hardcoded strings to environment variable lookups. The SKILL.md explicitly requires QVERIS_API_KEY and MX_APIKEY as env vars but the implementation bypasses this with hardcoded values at lines 114, 123, 125.
Attack Chain 3 steps
⬡
Escalation Hardcoded credentials visible in source code
scripts/oracle_report_generator.py:114⬡
Escalation Credentials passed as subprocess arguments, visible in process listings
scripts/oracle_report_generator.py:340◉
Impact Attacker with repo access or process listing visibility can steal API keys
N/AFindings 1 items
| Severity | Finding | Location |
|---|---|---|
| High | Hardcoded QVeris API Key Credential Theft | scripts/oracle_report_generator.py:114 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | WRITE | ✓ Aligned | SKILL.md:save report to workspace |
| Network | NONE | READ | ✓ Aligned | SKILL.md:data sources declared |
| Shell | NONE | WRITE | ✗ Violation | scripts/oracle_report_generator.py:subprocess.run commands not declared |
1 Critical 3 High 21 findings
Critical API Key 硬编码 API 密钥
sk-TR53nxR09FDDTyjRATrS0lHi5yT0E3SI3U2NU2JBHT0 scripts/oracle_report_generator.py:114 High API Key 疑似硬编码凭证
API_KEY = "sk-TR53nxR09FDDTyjRATrS0lHi5yT0E3SI3U2NU2JBHT0" scripts/oracle_report_generator.py:114 High API Key 疑似硬编码凭证
APIKEY = "mkt_RyCLYiWKZNRjp-GYkkT4VhDlb9l94muesZydiL7KMXM" scripts/oracle_report_generator.py:123 High API Key 疑似硬编码凭证
API_KEY = "d71s571r01qpd27931ggd71s571r01qpd27931h0" scripts/oracle_report_generator.py:125 Medium External URL 外部 URL
http://qt.gtimg.cn/q= scripts/oracle_report_generator.py:291 Medium External URL 外部 URL
https://finance.sina.com.cn scripts/oracle_report_generator.py:354 Medium External URL 外部 URL
https://hq.sinajs.cn/list= scripts/oracle_report_generator.py:364 Medium External URL 外部 URL
http://qt.gtimg.cn/q=sh000001 scripts/oracle_report_generator.py:544 Medium External URL 外部 URL
https://mkapi2.dfcfs.com/finskillshub/api/claw/query scripts/oracle_report_generator.py:622 Medium External URL 外部 URL
http://hq.sinajs.cn/list=fx_susdcny scripts/oracle_report_generator.py:1212 Medium External URL 外部 URL
http://qt.gtimg.cn/q=r_hkHSI scripts/oracle_report_generator.py:1340 Medium External URL 外部 URL
https://fred.stlouisfed.org/graph/fredgraph.csv?id=DGS30&cosd= scripts/oracle_report_generator.py:1498 Medium External URL 外部 URL
http://hq.sinajs.cn/list=nf_AU0 scripts/oracle_report_generator.py:1547 Medium External URL 外部 URL
https://finance.sina.com.cn/futuremarket/quotes/au.html scripts/oracle_report_generator.py:1550 Medium External URL 外部 URL
https://push2.eastmoney.com/api/qt/clist/get?pn=1&pz=50&po=1&np=1&ut=bd1d9ddb01984300aa256e6293924598&fltt=2&invt=2&fid=... scripts/oracle_report_generator.py:1600 Medium External URL 外部 URL
http://hq.sinajs.cn/list=hf_CL scripts/oracle_report_generator.py:1809 Medium External URL 外部 URL
http://hq.sinajs.cn/list=nf_SC0 scripts/oracle_report_generator.py:1834 Medium External URL 外部 URL
https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_MARGIN_FINANCE&columns=ALL&filter=&pageSize=1&pageNu... scripts/oracle_report_generator.py:1918 Medium External URL 外部 URL
http://vip.stock.finance.sina.com.cn/quotes_service/api/json_v2.php/Market_Center.getHQNodeData?page=1&num=6000&sort=cha... scripts/oracle_report_generator.py:2092 Medium External URL 外部 URL
http://push2.eastmoney.com/api/qt/clist/get?pn=1&pz=6000&po=1&fid=f3&fs=m:0+t:6 scripts/oracle_report_generator.py:2143 Medium External URL 外部 URL
https://push2.eastmoney.com/api/qt/stock/fflow/kline/get?secid=1.000001&fields1=f1 scripts/oracle_report_generator.py:2599 File Tree
3 files · 170.4 KB · 4296 lines Python 1f · 4094L
Markdown 1f · 185L
JSON 1f · 17L
├─
▾
scripts
│ └─
oracle_report_generator.py
Python
├─
_meta.json
JSON
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
akshare | not pinned | pip | No | Version not specified in code, no requirements.txt |
requests | not pinned | pip | No | Used for HTTP requests |
urllib | stdlib | python | No | Standard library |
Security Positives
✓ Financial data fetching is legitimate and declared in SKILL.md data sources
✓ No evidence of credential exfiltration or data theft to external C2 servers
✓ Uses standard financial data APIs (Tencent, Sina, AKShare, Eastmoney, FRED)
✓ Report generation and file saving behavior aligns with documented functionality