mx_macro_data Security Report — Trusted | ClawSafe

5 /100

mx_macro_data

基于东方财富数据库，支持自然语言查询全球宏观经济数据的AI Skill

A legitimate macroeconomics data query tool that reads an API key from an environment variable, calls a single documented API endpoint, and writes output CSV/txt files to a declared directory. No shell execution, credential theft, data exfiltration, or obfuscation observed.

Skill Namemx_macro_data

Duration37.1s

Enginepi

✓

Safe to install

No action needed. The skill operates within its declared scope.

Findings 2 items

Severity	Finding	Location
Low	Placeholder API key literal in documentation Doc Mismatch SKILL.md:154 contains the literal string 'your_api_key_here' as a placeholder for the API key configuration example. While this is a documentation placeholder and not a real credential, it could be flagged by static analysis tools. `export EM_API_KEY="your_api_key_here"` → Use a clearly fictitious placeholder like '<YOUR_API_KEY>' or '<PLACEHOLDER>' instead of 'your_api_key_here' to avoid any risk of confusion with real credentials.	`SKILL.md:154`
Low	Debug print statements may leak API key to stdout Sensitive Access get_data.py prints the full request URL and JSON body to stdout via print() calls. If stdout is redirected to a log file, the API key could appear in logs. `print(f"发送请求到: {url}")\nprint(f"请求体: {json.dumps(body, ensure_ascii=False)}")` → Redact the API key from debug prints, or use a dedicated logger that respects log level settings.	`scripts/get_data.py:218`

Resource	Declared	Inferred	Status	Evidence
Environment	`READ`	`READ`	✓ Aligned	get_data.py:47 EM_API_KEY = os.environ.get("EM_API_KEY", "")
Filesystem	`WRITE`	`WRITE`	✓ Aligned	get_data.py:157-158 output_dir.mkdir(parents=True, exist_ok=True); get_data.py:1…
Network	`WRITE`	`WRITE`	✓ Aligned	get_data.py:225-229 httpx.AsyncClient POST to https://ai-saas.eastmoney.com

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:154

🔗

Medium External URL 外部 URL

https://ai.eastmoney.com/mxClaw

SKILL.md:29

🔗

Medium External URL 外部 URL

https://ai-saas.eastmoney.com

scripts/get_data.py:71

File Tree

2 files · 32.4 KB · 780 lines

Python 1f · 507L Markdown 1f · 273L

├─ ▾ 📁 scripts

│ └─ 🐍 get_data.py Python 507L · 19.3 KB

└─ 📝 SKILL.md Markdown 273L · 13.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`httpx`	`unpinned`	pip	No	Listed in SKILL.md _meta.install but no version pin specified in requirements.txt or pip command

Security Positives

✓ Uses only a single declared environment variable (EM_API_KEY) for authentication

✓ Calls a single, documented, named API endpoint (https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchMacroData)

✓ No shell execution or subprocess usage — pure Python library calls

✓ No credential theft — only reads the declared API key, does not enumerate environment variables

✓ No data exfiltration — all outbound traffic is to the legitimate API service

✓ No obfuscation — all code is clear and human-readable

✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env scanning)

✓ No base64, eval, or dynamic code execution

✓ File writes are scoped to a declared output directory

✓ httpx dependency is explicitly declared in metadata

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives