金融日报推送技能 (Finance Daily Push) Security Report — Low Risk | ClawSafe

25 /100

金融日报推送技能 (Finance Daily Push)

自动推送 A 股科技方向的金融日报，包含早报、晚报和周报

Skill contains a hardcoded TuShare API token in source code, but no user credential theft or malicious exfiltration behavior detected.

Skill Name金融日报推送技能 (Finance Daily Push)

Duration28.3s

Enginepi

✓

Safe to install

Remove the hardcoded fallback token from line 25 of tushare_enhance.py. Users should be required to set TUSHARE_TOKEN environment variable explicitly.

Findings 2 items

Severity	Finding	Location
Medium	Hardcoded API Token in Source Code Credential Theft A TuShare API token is hardcoded as a fallback value in scripts/tushare_enhance.py line 25. While this token appears to belong to the skill author (not harvesting user credentials), hardcoding credentials in source code is a security anti-pattern that could expose sensitive access if the token has elevated permissions. `TUSHARE_TOKEN = os.getenv('TUSHARE_TOKEN') or 'c69074d39ca1d31eba5f517273ab14c9cc382a176b25993a2450f221'` → Remove the fallback token. Require users to set TUSHARE_TOKEN environment variable explicitly, or remove the entire TuShare functionality.	`scripts/tushare_enhance.py:25`
Low	Minor Documentation Gap Doc Mismatch SKILL.md instructs users to 'export TUSHARE_TOKEN=your_token' but the code silently falls back to a hardcoded token if the env var is not set. This could confuse users about which token is being used. `TUSHARE_TOKEN = os.getenv('TUSHARE_TOKEN') or '...'` → If TUSHARE_TOKEN is not set and no fallback exists, the script should fail with a clear error message directing users to tushare.pro/register.	`scripts/tushare_enhance.py:25`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:105-108 declares Tencent Finance and TuShare API access
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:40-52 documents cron command usage

4 findings

🔗

Medium External URL 外部 URL

https://tushare.pro/register

SKILL.md:121

🔗

Medium External URL 外部 URL

https://tushare.pro/user/token

SKILL.md:122

🔗

Medium External URL 外部 URL

http://qt.gtimg.cn/q=

scripts/fetch-quote.py:22

🔗

Medium External URL 外部 URL

https://finance.qq.com

scripts/fetch-quote.py:26

File Tree

7 files · 31.9 KB · 1293 lines

Markdown 5f · 942L Python 2f · 351L

├─ ▾ 📁 scripts

│ ├─ 🐍 fetch-quote.py Python 102L · 2.9 KB

│ └─ 🐍 tushare_enhance.py Python 249L · 7.8 KB

├─ 📝 prompt-周报.md Markdown 190L · 3.9 KB

├─ 📝 prompt-早报.md Markdown 169L · 3.6 KB

├─ 📝 prompt-晚报.md Markdown 183L · 3.8 KB

├─ 📝 README.md Markdown 180L · 4.1 KB

└─ 📝 SKILL.md Markdown 220L · 5.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`tushare`	`*`	pip	No	Version not pinned
`pandas`	`*`	pip	No	Version not pinned
`requests`	`*`	pip	No	Version not pinned (used in fetch-quote.py)

Security Positives

✓ No reverse shell or arbitrary code execution detected

✓ No credential harvesting from user environment (ssh, aws, .env files)

✓ No base64-encoded or obfuscated payloads

✓ No data exfiltration beyond documented financial APIs

✓ Network access is explicitly declared in SKILL.md

✓ Shell execution is documented for cron scheduling

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives