扫描报告
0 /100
mx_financial_assistant
基于东方财富权威金融数据库的智能金融问答服务,覆盖数据查询、资讯搜索、选股选基等七大核心能力
A legitimate financial Q&A skill that wraps the East Money API with no malicious behavior detected.
可以安装
No action needed. The skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | scripts/generate_answer.py:48-52 — httpx POST to eastmoney API |
| 环境变量 | READ | READ | ✓ 一致 | scripts/generate_answer.py:21 — os.environ.get('EM_API_KEY') |
| 命令执行 | NONE | NONE | — | No subprocess/spawn calls found |
| 文件系统 | NONE | NONE | — | No file read/write operations |
1 高危 2 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:54 中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/ask scripts/generate_answer.py:20 目录结构
2 文件 · 18.0 KB · 504 行 Python 1f · 275L
Markdown 1f · 229L
├─
▾
scripts
│ └─
generate_answer.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
httpx | * | pip | 否 | Version not pinned, but package is widely used and reputable |
安全亮点
✓ No shell execution, subprocess, or spawn calls — pure Python logic
✓ No credential harvesting or exfiltration — EM_API_KEY used only for API authentication
✓ No base64, eval, or obfuscated code patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No hidden HTML comments or steganographic payloads
✓ No remote script download/execution (curl|bash, wget|sh)
✓ httpx dependency is standard and appropriate for HTTP calls
✓ API endpoint is a known legitimate East Money service
✓ Code is clean, readable, and focused on the declared financial Q&A functionality
✓ The 'your_api_key_here' in SKILL.md is a documentation placeholder, not a real credential
✓ No suspicious network indicators — direct DNS-resolvable domain, no raw IP