中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
mx_macro_data
基于东方财富数据库,支持自然语言查询全球宏观经济数据的AI Skill
A legitimate macroeconomics data query tool that reads an API key from an environment variable, calls a single documented API endpoint, and writes output CSV/txt files to a declared directory. No shell execution, credential theft, data exfiltration, or obfuscation observed.
技能名称mx_macro_data
分析耗时37.1s
引擎pi
可以安装
No action needed. The skill operates within its declared scope.

安全发现 2 项

严重性 安全发现 位置
低危
Placeholder API key literal in documentation 文档欺骗
SKILL.md:154 contains the literal string 'your_api_key_here' as a placeholder for the API key configuration example. While this is a documentation placeholder and not a real credential, it could be flagged by static analysis tools.
export EM_API_KEY="your_api_key_here"
→ Use a clearly fictitious placeholder like '<YOUR_API_KEY>' or '<PLACEHOLDER>' instead of 'your_api_key_here' to avoid any risk of confusion with real credentials.
 SKILL.md:154
低危
Debug print statements may leak API key to stdout 敏感访问
get_data.py prints the full request URL and JSON body to stdout via print() calls. If stdout is redirected to a log file, the API key could appear in logs.
print(f"发送请求到: {url}")\nprint(f"请求体: {json.dumps(body, ensure_ascii=False)}")
→ Redact the API key from debug prints, or use a dedicated logger that respects log level settings.
 scripts/get_data.py:218
资源类型声明权限推断权限状态证据
环境变量 READ READ ✓ 一致 get_data.py:47 EM_API_KEY = os.environ.get("EM_API_KEY", "")
文件系统 WRITE WRITE ✓ 一致 get_data.py:157-158 output_dir.mkdir(parents=True, exist_ok=True); get_data.py:1…
网络访问 WRITE WRITE ✓ 一致 get_data.py:225-229 httpx.AsyncClient POST to https://ai-saas.eastmoney.com
1 高危 3 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here"
SKILL.md:154
🔗
中危 外部 URL 外部 URL
https://ai.eastmoney.com/mxClaw
SKILL.md:29
🔗
中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com
scripts/get_data.py:71

目录结构

2 文件 · 32.4 KB · 780 行
Python 1f · 507L Markdown 1f · 273L
├─ 📁 scripts
│ └─ 🐍 get_data.py Python 507L · 19.3 KB
└─ 📝 SKILL.md Markdown 273L · 13.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
httpx unpinned pip Listed in SKILL.md _meta.install but no version pin specified in requirements.txt or pip command

安全亮点

✓ Uses only a single declared environment variable (EM_API_KEY) for authentication
✓ Calls a single, documented, named API endpoint (https://ai-saas.eastmoney.com/proxy/b/mcp/tool/searchMacroData)
✓ No shell execution or subprocess usage — pure Python library calls
✓ No credential theft — only reads the declared API key, does not enumerate environment variables
✓ No data exfiltration — all outbound traffic is to the legitimate API service
✓ No obfuscation — all code is clear and human-readable
✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env scanning)
✓ No base64, eval, or dynamic code execution
✓ File writes are scoped to a declared output directory
✓ httpx dependency is explicitly declared in metadata