mx_finance_data Security Report — Low Risk | ClawSafe

15 /100

mx_finance_data

基于东方财富数据库，支持自然语言查询金融数据，覆盖A港美、基金、债券等多种资产

Legitimate financial data query skill that reads from environment, calls East Money API, and writes Excel output files. No malicious behavior detected.

Skill Namemx_finance_data

Duration28.1s

Enginepi

✓

Safe to install

Consider pinning dependency versions in SKILL.md for reproducibility. The hardcoded placeholder in docs (line 104) is cosmetic and not a security risk.

Findings 2 items

Severity	Finding	Location
Low	Dependency versions not pinned The SKILL.md specifies dependencies with wildcard versions (httpx, pandas, openpyxl) which could lead to unexpected behavior if upstream packages change. `package: httpx pandas openpyxl` → Pin specific versions, e.g., 'httpx>=0.24.0,<1.0.0 pandas>=1.5.0 openpyxl>=3.0.0'	`SKILL.md:19`
Info	API key placeholder in documentation SKILL.md line 104 shows 'API_KEY="your_api_key_here"' as a user instruction placeholder. This is not actual hardcoded credentials, but could be confusing. `export EM_API_KEY="your_api_key_here"` → Consider clarifying this is a placeholder users must replace	`SKILL.md:104`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	scripts/get_data.py:296 - httpx POST to ai-saas.eastmoney.com
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/get_data.py:330-350 - writes xlsx and txt output files
Environment	`READ`	`READ`	✓ Aligned	scripts/get_data.py:67 - os.environ.get('EM_API_KEY')

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:104

🔗

Medium External URL 外部 URL

https://ai.eastmoney.com/mxClaw

SKILL.md:27

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchData

scripts/get_data.py:73

File Tree

2 files · 28.8 KB · 773 lines

Python 1f · 624L Markdown 1f · 149L

├─ ▾ 📁 scripts

│ └─ 🐍 get_data.py Python 624L · 24.0 KB

└─ 📝 SKILL.md Markdown 149L · 4.9 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`*`	pip	No	Version not pinned - recommend pinning for reproducibility
`pandas`	`*`	pip	No	Version not pinned
`openpyxl`	`*`	pip	No	Version not pinned

Security Positives

✓ No shell command execution (subprocess, os.system)

✓ No credential exfiltration or external data transmission

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No obfuscation techniques (base64, eval, atob)

✓ No hidden functionality or undocumented behavior

✓ API key only used for declared East Money API authentication

✓ Clear documentation of all permissions and data flows

✓ Proper error handling throughout the codebase

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives