mx_macro_data 安全扫描报告 — 可信 | ClawSafe

5 /100

mx_macro_data

East Money macroeconomic data query tool with natural language support

Legitimate macroeconomic data query tool that retrieves data from East Money API and exports to CSV, with no malicious indicators.

技能名称mx_macro_data

分析耗时26.5s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性	安全发现	位置
低危	Placeholder API key in documentation SKILL.md line 154 shows 'your_api_key_here' as placeholder example. This is a documentation example for user configuration, not an actual credential. `export EM_API_KEY="your_api_key_here"` → No action needed - this is a standard documentation example.	`SKILL.md:154`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	httpx POST to https://ai-saas.eastmoney.com (documented in SKILL.md)
文件系统	`WRITE`	`WRITE`	✓ 一致	Writes CSV and description txt files to output_dir (documented in SKILL.md)
环境变量	`READ`	`READ`	✓ 一致	Reads EM_API_KEY only (documented in SKILL.md)
命令执行	`NONE`	`NONE`	—	No shell execution found

1 高危 3 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:154

🔗

中危外部 URL 外部 URL

https://ai.eastmoney.com/mxClaw

SKILL.md:29

🔗

中危外部 URL 外部 URL

https://ai-saas.eastmoney.com

scripts/get_data.py:71

2 文件 · 31.7 KB · 780 行

Python 1f · 507L Markdown 1f · 273L

├─ ▾ 📁 scripts

│ └─ 🐍 get_data.py Python 507L · 18.8 KB

└─ 📝 SKILL.md Markdown 273L · 12.9 KB

包名	版本	来源	已知漏洞	备注
`httpx`	`*`	pip	否	No version pinning in documentation, but httpx is a well-maintained reputable library

✓ No shell execution (subprocess, os.system, eval)

✓ No credential harvesting or exfiltration

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No base64/encoded payload execution

✓ No hidden functionality - all behavior documented

✓ Single, documented API endpoint (East Money)

✓ Only reads specific EM_API_KEY environment variable

✓ File operations scoped to user-specified output directory

✓ Uses reputable httpx library for HTTP requests