Scan Report
5 /100
eastmoney_stock_simulator
妙想提供的股票模拟组合管理系统,支持持仓查询、买卖操作、撤单、委托查询、历史成交查询和资金查询
A legitimate mock stock trading simulator skill that reads MX_APIKEY from environment, calls a declared dfcfs.com API for mock portfolio operations, and writes results to a declared output directory. No malicious behavior, obfuscation, credential harvesting beyond API usage, or undeclared capabilities detected.
Safe to install
This skill is safe to use. The only minor concern is that the requests library version is unpinned in requirements.txt, which could theoretically allow a supply-chain downgrade. Consider pinning requests to a known-safe version for defense-in-depth.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned requests dependency Supply Chain | scripts/requirements.txt:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | WRITE | WRITE | ✓ Aligned | make_request() uses requests.post() to POST JSON to dfcfs.com — declared in SKIL… |
| Filesystem | WRITE | WRITE | ✓ Aligned | save_result() writes .txt and .json files to /root/.openclaw/workspace/mx_data/o… |
| Environment | READ | READ | ✓ Aligned | os.environ.get('MX_APIKEY') and os.environ.get('MX_API_URL') — both declared in … |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell command invocation found in scripts/mx_stock_… |
2 findings
Medium External URL 外部 URL
https://mkapi2.dfcfs.com/finskillshub SKILL.md:16 Medium External URL 外部 URL
https://dl.dfcfs.com/m/itc4 SKILL.md:104 File Tree
3 files · 34.5 KB · 855 lines Markdown 1f · 471L
Python 1f · 383L
Text 1f · 1L
├─
▾
scripts
│ ├─
mx_stock_simulator.py
Python
│ └─
requirements.txt
Text
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned — could resolve to a vulnerable version |
Security Positives
✓ All capabilities (network, filesystem write, environment read) are declared in SKILL.md
✓ No shell execution, subprocess, os.system, or popen calls found
✓ No credential harvesting beyond the single API key needed for the declared service
✓ No base64-encoded payloads, eval(), or dynamic code execution
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No data exfiltration or C2 communication — all network calls go to the declared dfcfs.com API
✓ File writes are confined to the documented output directory /root/.openclaw/workspace/mx_data/output/
✓ No obfuscation techniques detected
✓ No hidden HTML comments or injected instructions
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)