Scan Report
0 /100
mx_financial_assistant
基于东方财富权威金融数据库的智能金融问答服务,覆盖数据查询、资讯搜索、选股选基等七大核心能力
A legitimate financial Q&A skill that wraps the East Money API with no malicious behavior detected.
Safe to install
No action needed. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | scripts/generate_answer.py:48-52 — httpx POST to eastmoney API |
| Environment | READ | READ | ✓ Aligned | scripts/generate_answer.py:21 — os.environ.get('EM_API_KEY') |
| Shell | NONE | NONE | — | No subprocess/spawn calls found |
| Filesystem | NONE | NONE | — | No file read/write operations |
1 High 2 findings
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:54 Medium External URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/ask scripts/generate_answer.py:20 File Tree
2 files · 18.0 KB · 504 lines Python 1f · 275L
Markdown 1f · 229L
├─
▾
scripts
│ └─
generate_answer.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
httpx | * | pip | No | Version not pinned, but package is widely used and reputable |
Security Positives
✓ No shell execution, subprocess, or spawn calls — pure Python logic
✓ No credential harvesting or exfiltration — EM_API_KEY used only for API authentication
✓ No base64, eval, or obfuscated code patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No hidden HTML comments or steganographic payloads
✓ No remote script download/execution (curl|bash, wget|sh)
✓ httpx dependency is standard and appropriate for HTTP calls
✓ API endpoint is a known legitimate East Money service
✓ Code is clean, readable, and focused on the declared financial Q&A functionality
✓ The 'your_api_key_here' in SKILL.md is a documentation placeholder, not a real credential
✓ No suspicious network indicators — direct DNS-resolvable domain, no raw IP