Scan Report
10 /100
groundapi_a_share_analyst
Analyze individual A-share stocks with real-time quotes, fundamentals, technicals, and recent news — powered by GroundAPI MCP tools.
This is a legitimate A-share stock analysis skill using declared MCP tools with no hidden functionality or malicious behavior detected.
Safe to install
Safe to use. The skill only accesses the declared GroundAPI MCP server and performs stock analysis using standard financial data APIs.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | External API dependency | SKILL.md:28 |
| Low | API key in plain text | SKILL.md:26 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations described or required |
| Network | READ | READ | ✓ Aligned | Uses declared MCP tools: finance_stock, info_search, finance_market |
| Shell | NONE | NONE | — | No shell execution in the skill |
| Environment | READ | READ | ✓ Aligned | Only reads GROUNDAPI_KEY for MCP authentication |
| Skill Invoke | READ | READ | ✓ Aligned | Uses standard MCP tool invocations |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
2 findings
Medium External URL 外部 URL
https://groundapi.net SKILL.md:9 Medium External URL 外部 URL
https://mcp.groundapi.net/sse SKILL.md:28 File Tree
1 files · 3.9 KB · 131 lines Markdown 1f · 131L
└─
SKILL.md
Markdown
Security Positives
✓ No executable code - purely documentation specification
✓ All capabilities declared in SKILL.md match intended behavior
✓ No shell execution, filesystem manipulation, or credential harvesting
✓ Uses only standard MCP financial data tools
✓ No base64, eval, or suspicious encoding patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No hidden instructions or masquerading
✓ Clear disclaimer that analysis is for reference only