中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
baidu-finance-search
百度财经搜索 skill - 财经舆情搜索工具
A legitimate Baidu finance search skill that makes API calls to a documented endpoint, with no malicious indicators found.
Skill Namebaidu-finance-search
Duration21.4s
Enginepi
Safe to install
Skill is safe to use. Consider enabling SSL certificate verification in production (line 157-159) for better security.

Findings 1 items

Severity Finding Location
Low
SSL certificate verification disabled Sensitive Access
The script disables SSL certificate verification (ssl.CERT_NONE) which could allow MITM attacks. However, this appears to be for API connectivity rather than malicious intent.
ctx.verify_mode = ssl.CERT_NONE
→ Enable SSL verification in production or document the reason for disabling it.
 scripts/search.py:157
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned scripts/search.py:147 - POST to qianfan.baidubce.com
Environment READ READ ✓ Aligned scripts/search.py:39 - reads BAIDU_API_KEY
Filesystem NONE READ ✓ Aligned scripts/search.py:46 - reads .env fallback only when API key missing
1 findings
🔗
Medium External URL 外部 URL
https://qianfan.baidubce.com/v2/ai_search/web_summary
SKILL.md:28

File Tree

3 files · 11.3 KB · 404 lines
Python 1f · 294L Markdown 1f · 105L JSON 1f · 5L
├─ 📁 scripts
│ └─ 🐍 search.py Python 294L · 8.5 KB
├─ 📋 _meta.json JSON 5L · 139 B
└─ 📝 SKILL.md Markdown 105L · 2.6 KB

Security Positives

✓ No shell execution or subprocess calls
✓ No credential exfiltration - API key used only for local authentication
✓ No obfuscation, base64 encoding, or hidden instructions
✓ Network calls match documented API endpoint exactly
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files outside the fallback
✓ Clean, readable code with no suspicious patterns