金融日报推送技能 (Finance Daily Push) 安全扫描报告 — 低风险 | ClawSafe

25 /100

金融日报推送技能 (Finance Daily Push)

自动推送 A 股科技方向的金融日报，包含早报、晚报和周报

Skill contains a hardcoded TuShare API token in source code, but no user credential theft or malicious exfiltration behavior detected.

技能名称金融日报推送技能 (Finance Daily Push)

分析耗时28.3s

引擎pi

✓

可以安装

Remove the hardcoded fallback token from line 25 of tushare_enhance.py. Users should be required to set TUSHARE_TOKEN environment variable explicitly.

安全发现 2 项

严重性	安全发现	位置
中危	Hardcoded API Token in Source Code 凭证窃取 A TuShare API token is hardcoded as a fallback value in scripts/tushare_enhance.py line 25. While this token appears to belong to the skill author (not harvesting user credentials), hardcoding credentials in source code is a security anti-pattern that could expose sensitive access if the token has elevated permissions. `TUSHARE_TOKEN = os.getenv('TUSHARE_TOKEN') or 'c69074d39ca1d31eba5f517273ab14c9cc382a176b25993a2450f221'` → Remove the fallback token. Require users to set TUSHARE_TOKEN environment variable explicitly, or remove the entire TuShare functionality.	`scripts/tushare_enhance.py:25`
低危	Minor Documentation Gap 文档欺骗 SKILL.md instructs users to 'export TUSHARE_TOKEN=your_token' but the code silently falls back to a hardcoded token if the env var is not set. This could confuse users about which token is being used. `TUSHARE_TOKEN = os.getenv('TUSHARE_TOKEN') or '...'` → If TUSHARE_TOKEN is not set and no fallback exists, the script should fail with a clear error message directing users to tushare.pro/register.	`scripts/tushare_enhance.py:25`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:105-108 declares Tencent Finance and TuShare API access
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:40-52 documents cron command usage

4 项发现

🔗

中危外部 URL 外部 URL

https://tushare.pro/register

SKILL.md:121

🔗

中危外部 URL 外部 URL

https://tushare.pro/user/token

SKILL.md:122

🔗

中危外部 URL 外部 URL

http://qt.gtimg.cn/q=

scripts/fetch-quote.py:22

🔗

中危外部 URL 外部 URL

https://finance.qq.com

scripts/fetch-quote.py:26

目录结构

7 文件 · 31.9 KB · 1293 行

Markdown 5f · 942L Python 2f · 351L

├─ ▾ 📁 scripts

│ ├─ 🐍 fetch-quote.py Python 102L · 2.9 KB

│ └─ 🐍 tushare_enhance.py Python 249L · 7.8 KB

├─ 📝 prompt-周报.md Markdown 190L · 3.9 KB

├─ 📝 prompt-早报.md Markdown 169L · 3.6 KB

├─ 📝 prompt-晚报.md Markdown 183L · 3.8 KB

├─ 📝 README.md Markdown 180L · 4.1 KB

└─ 📝 SKILL.md Markdown 220L · 5.8 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`tushare`	`*`	pip	否	Version not pinned
`pandas`	`*`	pip	否	Version not pinned
`requests`	`*`	pip	否	Version not pinned (used in fetch-quote.py)

安全亮点

✓ No reverse shell or arbitrary code execution detected

✓ No credential harvesting from user environment (ssh, aws, .env files)

✓ No base64-encoded or obfuscated payloads

✓ No data exfiltration beyond documented financial APIs

✓ Network access is explicitly declared in SKILL.md

✓ Shell execution is documented for cron scheduling