Scan Report
5 /100
mx_financial_assistant
基于东方财富权威金融数据库的智能金融问答服务
A straightforward financial Q&A skill that safely calls an East Money API with proper credential management and no security violations.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations in generate_answer.py |
| Network | READ | READ | ✓ Aligned | httpx client POSTs to ai-saas.eastmoney.com (line 65) |
| Shell | NONE | NONE | — | No subprocess or os.system calls |
| Environment | READ | READ | ✓ Aligned | os.environ.get('EM_API_KEY') (line 30) |
| Skill Invoke | NONE | NONE | — | No skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
1 High 2 findings
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:54 Medium External URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/ask scripts/generate_answer.py:20 File Tree
2 files · 18.5 KB · 504 lines Python 1f · 275L
Markdown 1f · 229L
├─
▾
scripts
│ └─
generate_answer.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
httpx | * | pip | No | Version not pinned but only dependency |
Security Positives
✓ Credentials properly sourced from environment variable EM_API_KEY, never hardcoded
✓ Single dependency (httpx) with documented purpose
✓ Clean code with no obfuscation, base64, or eval()
✓ No shell execution or system command calls
✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env reads)
✓ No data exfiltration or C2 communication patterns
✓ No persistence mechanisms or backdoors
✓ No prompt injection risks
✓ Clear error handling with informative messages
✓ API endpoint clearly declared and consistent