中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:23 小时前 重新扫描
5 /100
stock-selector
A 股选股工具 - 支持分阶段筛选、批量查询、自动化选股 (A-Share Stock Selector)
A legitimate A-share stock selector tool with no malicious behavior; fetches market data from Tencent Finance and filters stocks through 4 strategy stages.
技能名称stock-selector
分析耗时39.2s
引擎pi
可以安装
This skill is safe to use. No action required.

安全发现 3 项

严重性 安全发现 位置
低危
Documented file structure not present 文档欺骗
SKILL.md references strategies/, pool/, docs/ directories and files (strategies/overnight.py, strategies/breakout.py, pool/stock_pool.json, docs/strategy.md) that do not exist in the repository. Only stock_selector.py, stock_selector_v8.py, and tests/test_selector.py are present.
├── strategies/
│   ├── overnight.py
│   └── breakout.py
├── pool/
│   └── stock_pool.json
├── docs/
│   └── strategy.md
→ Update SKILL.md to reflect the actual file structure, or ensure bundled files are included in the skill package.
 SKILL.md:89
低危
Unpinned requests dependency 供应链
package.json specifies 'requests>=2.28.0' without an upper bound, and stock_selector_v8.py has no requirements.txt. This allows any future version of requests to be installed.
"requests": ">=2.28.0"
→ Pin to a specific version, e.g., requests==2.28.2, to ensure reproducible builds and avoid supply chain risks from breaking changes.
 package.json:29
低危
Hardcoded absolute path in stock_selector_v8.py 权限提升
stock_selector_v8.py line 17 uses a hardcoded path '/home/admin/openclaw/workspace/strategies/候选股票池.json' while stock_selector.py uses a relative path resolved via os.path.dirname(__file__). The hardcoded path will fail on non-matching environments.
POOL_FILE = "/home/admin/openclaw/workspace/strategies/候选股票池.json"
→ Use __file__-relative path resolution like the main script does, or accept POOL_FILE as an environment variable.
 stock_selector_v8.py:17
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 requests.get(url) to qt.gtimg.cn
文件系统 READ READ ✓ 一致 load_stock_pool reads local JSON; results written to configured output_dir
命令执行 NONE NONE No subprocess/shell calls found in any file
环境变量 NONE NONE Only reads STOCK_OUTPUT_DIR and STOCK_POOL_FILE env vars for configuration
剪贴板 NONE NONE Not accessed
浏览器 NONE NONE Not accessed
数据库 NONE NONE Not accessed
技能调用 NONE NONE No inter-skill invocation
1 项发现
🔗
中危 外部 URL 外部 URL
https://qt.gtimg.cn/q=
stock_selector.py:46

目录结构

5 文件 · 26.1 KB · 877 行
Python 3f · 610L Markdown 1f · 230L JSON 1f · 37L
├─ 📁 tests
│ └─ 🐍 test_selector.py Python 86L · 2.6 KB
├─ 📋 package.json JSON 37L · 890 B
├─ 📝 SKILL.md Markdown 230L · 4.7 KB
├─ 🐍 stock_selector_v8.py Python 301L · 10.3 KB
└─ 🐍 stock_selector.py Python 223L · 7.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests >=2.28.0 package.json Version not pinned to a specific release

安全亮点

✓ No shell execution (subprocess, os.system) in any file
✓ No credential harvesting or environment variable iteration for secrets
✓ No base64 or encoded payloads
✓ No reverse shell, C2, or data exfiltration patterns
✓ No hidden HTML comments or steganographic payloads
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No eval(), exec(), or dynamic code execution
✓ No curl|bash or wget|sh remote script installation
✓ No obfuscation techniques detected
✓ Network requests are limited to a single, declared data source (qt.gtimg.cn)
✓ Dependencies are minimal (only the requests library)
✓ Both scripts are straightforward, readable Python with no suspicious patterns