扫描报告
15 /100
mx_finance_data
基于东方财富数据库,支持自然语言查询金融数据,覆盖A港美、基金、债券等多种资产
Legitimate financial data query skill that reads from environment, calls East Money API, and writes Excel output files. No malicious behavior detected.
可以安装
Consider pinning dependency versions in SKILL.md for reproducibility. The hardcoded placeholder in docs (line 104) is cosmetic and not a security risk.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Dependency versions not pinned | SKILL.md:19 |
| 提示 | API key placeholder in documentation | SKILL.md:104 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | scripts/get_data.py:296 - httpx POST to ai-saas.eastmoney.com |
| 文件系统 | WRITE | WRITE | ✓ 一致 | scripts/get_data.py:330-350 - writes xlsx and txt output files |
| 环境变量 | READ | READ | ✓ 一致 | scripts/get_data.py:67 - os.environ.get('EM_API_KEY') |
1 高危 3 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:104 中危 外部 URL 外部 URL
https://ai.eastmoney.com/mxClaw SKILL.md:27 中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchData scripts/get_data.py:73 目录结构
2 文件 · 28.8 KB · 773 行 Python 1f · 624L
Markdown 1f · 149L
├─
▾
scripts
│ └─
get_data.py
Python
└─
SKILL.md
Markdown
依赖分析 3 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
httpx | * | pip | 否 | Version not pinned - recommend pinning for reproducibility |
pandas | * | pip | 否 | Version not pinned |
openpyxl | * | pip | 否 | Version not pinned |
安全亮点
✓ No shell command execution (subprocess, os.system)
✓ No credential exfiltration or external data transmission
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ No obfuscation techniques (base64, eval, atob)
✓ No hidden functionality or undocumented behavior
✓ API key only used for declared East Money API authentication
✓ Clear documentation of all permissions and data flows
✓ Proper error handling throughout the codebase