扫描报告
5 /100
mx_financial_assistant
基于东方财富权威金融数据库的智能金融问答服务
A straightforward financial Q&A skill that safely calls an East Money API with proper credential management and no security violations.
可以安装
This skill is safe to use. No security concerns identified.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No file operations in generate_answer.py |
| 网络访问 | READ | READ | ✓ 一致 | httpx client POSTs to ai-saas.eastmoney.com (line 65) |
| 命令执行 | NONE | NONE | — | No subprocess or os.system calls |
| 环境变量 | READ | READ | ✓ 一致 | os.environ.get('EM_API_KEY') (line 30) |
| 技能调用 | NONE | NONE | — | No skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
1 高危 2 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:54 中危 外部 URL 外部 URL
https://ai-saas.eastmoney.com/proxy/app-robo-advisor-api/assistant/ask scripts/generate_answer.py:20 目录结构
2 文件 · 18.5 KB · 504 行 Python 1f · 275L
Markdown 1f · 229L
├─
▾
scripts
│ └─
generate_answer.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
httpx | * | pip | 否 | Version not pinned but only dependency |
安全亮点
✓ Credentials properly sourced from environment variable EM_API_KEY, never hardcoded
✓ Single dependency (httpx) with documented purpose
✓ Clean code with no obfuscation, base64, or eval()
✓ No shell execution or system command calls
✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env reads)
✓ No data exfiltration or C2 communication patterns
✓ No persistence mechanisms or backdoors
✓ No prompt injection risks
✓ Clear error handling with informative messages
✓ API endpoint clearly declared and consistent