中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:21 hr ago Rescan
5 /100
stock-selector
A 股选股工具 - 支持分阶段筛选、批量查询、自动化选股 (A-Share Stock Selector)
A legitimate A-share stock selector tool with no malicious behavior; fetches market data from Tencent Finance and filters stocks through 4 strategy stages.
Skill Namestock-selector
Duration39.2s
Enginepi
Safe to install
This skill is safe to use. No action required.

Findings 3 items

Severity Finding Location
Low
Documented file structure not present Doc Mismatch
SKILL.md references strategies/, pool/, docs/ directories and files (strategies/overnight.py, strategies/breakout.py, pool/stock_pool.json, docs/strategy.md) that do not exist in the repository. Only stock_selector.py, stock_selector_v8.py, and tests/test_selector.py are present.
├── strategies/
│   ├── overnight.py
│   └── breakout.py
├── pool/
│   └── stock_pool.json
├── docs/
│   └── strategy.md
→ Update SKILL.md to reflect the actual file structure, or ensure bundled files are included in the skill package.
 SKILL.md:89
Low
Unpinned requests dependency Supply Chain
package.json specifies 'requests>=2.28.0' without an upper bound, and stock_selector_v8.py has no requirements.txt. This allows any future version of requests to be installed.
"requests": ">=2.28.0"
→ Pin to a specific version, e.g., requests==2.28.2, to ensure reproducible builds and avoid supply chain risks from breaking changes.
 package.json:29
Low
Hardcoded absolute path in stock_selector_v8.py Priv Escalation
stock_selector_v8.py line 17 uses a hardcoded path '/home/admin/openclaw/workspace/strategies/候选股票池.json' while stock_selector.py uses a relative path resolved via os.path.dirname(__file__). The hardcoded path will fail on non-matching environments.
POOL_FILE = "/home/admin/openclaw/workspace/strategies/候选股票池.json"
→ Use __file__-relative path resolution like the main script does, or accept POOL_FILE as an environment variable.
 stock_selector_v8.py:17
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned requests.get(url) to qt.gtimg.cn
Filesystem READ READ ✓ Aligned load_stock_pool reads local JSON; results written to configured output_dir
Shell NONE NONE No subprocess/shell calls found in any file
Environment NONE NONE Only reads STOCK_OUTPUT_DIR and STOCK_POOL_FILE env vars for configuration
Clipboard NONE NONE Not accessed
Browser NONE NONE Not accessed
Database NONE NONE Not accessed
Skill Invoke NONE NONE No inter-skill invocation
1 findings
🔗
Medium External URL 外部 URL
https://qt.gtimg.cn/q=
stock_selector.py:46

File Tree

5 files · 26.1 KB · 877 lines
Python 3f · 610L Markdown 1f · 230L JSON 1f · 37L
├─ 📁 tests
│ └─ 🐍 test_selector.py Python 86L · 2.6 KB
├─ 📋 package.json JSON 37L · 890 B
├─ 📝 SKILL.md Markdown 230L · 4.7 KB
├─ 🐍 stock_selector_v8.py Python 301L · 10.3 KB
└─ 🐍 stock_selector.py Python 223L · 7.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
requests >=2.28.0 package.json No Version not pinned to a specific release

Security Positives

✓ No shell execution (subprocess, os.system) in any file
✓ No credential harvesting or environment variable iteration for secrets
✓ No base64 or encoded payloads
✓ No reverse shell, C2, or data exfiltration patterns
✓ No hidden HTML comments or steganographic payloads
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No eval(), exec(), or dynamic code execution
✓ No curl|bash or wget|sh remote script installation
✓ No obfuscation techniques detected
✓ Network requests are limited to a single, declared data source (qt.gtimg.cn)
✓ Dependencies are minimal (only the requests library)
✓ Both scripts are straightforward, readable Python with no suspicious patterns