baidu-finance-search 安全扫描报告 — 可信 | ClawSafe

5 /100

baidu-finance-search

百度财经搜索 skill - 财经舆情搜索工具

A legitimate Baidu finance search skill that makes API calls to a documented endpoint, with no malicious indicators found.

技能名称baidu-finance-search

分析耗时21.4s

引擎pi

✓

可以安装

Skill is safe to use. Consider enabling SSL certificate verification in production (line 157-159) for better security.

安全发现 1 项

严重性	安全发现	位置
低危	SSL certificate verification disabled 敏感访问 The script disables SSL certificate verification (ssl.CERT_NONE) which could allow MITM attacks. However, this appears to be for API connectivity rather than malicious intent. `ctx.verify_mode = ssl.CERT_NONE` → Enable SSL verification in production or document the reason for disabling it.	`scripts/search.py:157`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	scripts/search.py:147 - POST to qianfan.baidubce.com
环境变量	`READ`	`READ`	✓ 一致	scripts/search.py:39 - reads BAIDU_API_KEY
文件系统	`NONE`	`READ`	✓ 一致	scripts/search.py:46 - reads .env fallback only when API key missing

1 项发现

🔗

中危外部 URL 外部 URL

https://qianfan.baidubce.com/v2/ai_search/web_summary

SKILL.md:28

3 文件 · 11.3 KB · 404 行

Python 1f · 294L Markdown 1f · 105L JSON 1f · 5L

├─ ▾ 📁 scripts

│ └─ 🐍 search.py Python 294L · 8.5 KB

├─ 📋 _meta.json JSON 5L · 139 B

└─ 📝 SKILL.md Markdown 105L · 2.6 KB

✓ No shell execution or subprocess calls

✓ No credential exfiltration - API key used only for local authentication

✓ No obfuscation, base64 encoding, or hidden instructions

✓ Network calls match documented API endpoint exactly

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files outside the fallback

✓ Clean, readable code with no suspicious patterns