Scan Report
5 /100
mx_macro_data
East Money macroeconomic data query tool with natural language support
Legitimate macroeconomic data query tool that retrieves data from East Money API and exports to CSV, with no malicious indicators.
Safe to install
This skill is safe to use. No security concerns identified.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Placeholder API key in documentation | SKILL.md:154 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | httpx POST to https://ai-saas.eastmoney.com (documented in SKILL.md) |
| Filesystem | WRITE | WRITE | ✓ Aligned | Writes CSV and description txt files to output_dir (documented in SKILL.md) |
| Environment | READ | READ | ✓ Aligned | Reads EM_API_KEY only (documented in SKILL.md) |
| Shell | NONE | NONE | — | No shell execution found |
1 High 3 findings
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:154 Medium External URL 外部 URL
https://ai.eastmoney.com/mxClaw SKILL.md:29 Medium External URL 外部 URL
https://ai-saas.eastmoney.com scripts/get_data.py:71 File Tree
2 files · 31.7 KB · 780 lines Python 1f · 507L
Markdown 1f · 273L
├─
▾
scripts
│ └─
get_data.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
httpx | * | pip | No | No version pinning in documentation, but httpx is a well-maintained reputable library |
Security Positives
✓ No shell execution (subprocess, os.system, eval)
✓ No credential harvesting or exfiltration
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No base64/encoded payload execution
✓ No hidden functionality - all behavior documented
✓ Single, documented API endpoint (East Money)
✓ Only reads specific EM_API_KEY environment variable
✓ File operations scoped to user-specified output directory
✓ Uses reputable httpx library for HTTP requests