Scan Report
5 /100
gold-price-fetcher
通过京东金融 API 获取实时金价,返回带时间戳的完整信息
Legitimate gold price fetching skill with no malicious behavior - all functionality is documented and API calls target a known financial service.
Safe to install
Skill is safe for use. Consider pinning the requests library version for better reproducibility.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned dependency Supply Chain | scripts/fetch_gold_price.py |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | scripts/fetch_gold_price.py:38 - requests.get() |
| Filesystem | READ,WRITE | READ,WRITE | ✓ Aligned | scripts/fetch_gold_price.py:35 - os.makedirs(), f.write() |
4 findings
Medium External URL 外部 URL
https://ms.jr.jd.com/gw2/generic/CreatorSer/newh5/m/getFirstRelatedProductInfo README.md:31 Medium External URL 外部 URL
https://clawhub.ai/import** 发布说明.md:18 Medium External URL 外部 URL
https://clawhub.ai/docs 发布说明.md:71 Medium External URL 外部 URL
https://mirror-cn.clawhub.com 发布说明.md:72 File Tree
4 files · 7.0 KB · 302 lines Markdown 3f · 202L
Python 1f · 100L
├─
▾
scripts
│ └─
fetch_gold_price.py
Python
├─
README.md
Markdown
├─
SKILL.md
Markdown
└─
发布说明.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned |
Security Positives
✓ No shell execution or subprocess usage
✓ No credential harvesting or environment variable access
✓ No base64 encoding or obfuscation
✓ All functionality declared in SKILL.md
✓ Network calls target legitimate JD Finance API
✓ Cache mechanism is documented and transparent
✓ No hidden functionality or shadow behavior
✓ Clean code with proper error handling