中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:23 小时前 重新扫描
5 /100
eastmoney_stock_simulator
妙想提供的股票模拟组合管理系统,支持持仓查询、买卖操作、撤单、委托查询、历史成交查询和资金查询
A legitimate mock stock trading simulator skill that reads MX_APIKEY from environment, calls a declared dfcfs.com API for mock portfolio operations, and writes results to a declared output directory. No malicious behavior, obfuscation, credential harvesting beyond API usage, or undeclared capabilities detected.
技能名称eastmoney_stock_simulator
分析耗时26.5s
引擎pi
可以安装
This skill is safe to use. The only minor concern is that the requests library version is unpinned in requirements.txt, which could theoretically allow a supply-chain downgrade. Consider pinning requests to a known-safe version for defense-in-depth.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned requests dependency 供应链
requirements.txt contains 'requests' without a version constraint. This allows pip to install any version, including those with known security vulnerabilities.
requests
→ Pin requests to a specific version, e.g., 'requests>=2.32.0' to ensure known vulnerabilities are patched.
 scripts/requirements.txt:1
资源类型声明权限推断权限状态证据
网络访问 WRITE WRITE ✓ 一致 make_request() uses requests.post() to POST JSON to dfcfs.com — declared in SKIL…
文件系统 WRITE WRITE ✓ 一致 save_result() writes .txt and .json files to /root/.openclaw/workspace/mx_data/o…
环境变量 READ READ ✓ 一致 os.environ.get('MX_APIKEY') and os.environ.get('MX_API_URL') — both declared in …
命令执行 NONE NONE No subprocess, os.system, or shell command invocation found in scripts/mx_stock_…
2 项发现
🔗
中危 外部 URL 外部 URL
https://mkapi2.dfcfs.com/finskillshub
SKILL.md:16
🔗
中危 外部 URL 外部 URL
https://dl.dfcfs.com/m/itc4
SKILL.md:104

目录结构

3 文件 · 34.5 KB · 855 行
Markdown 1f · 471L Python 1f · 383L Text 1f · 1L
├─ 📁 scripts
│ ├─ 🐍 mx_stock_simulator.py Python 383L · 13.8 KB
│ └─ 📄 requirements.txt Text 1L · 9 B
└─ 📝 SKILL.md Markdown 471L · 20.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned — could resolve to a vulnerable version

安全亮点

✓ All capabilities (network, filesystem write, environment read) are declared in SKILL.md
✓ No shell execution, subprocess, os.system, or popen calls found
✓ No credential harvesting beyond the single API key needed for the declared service
✓ No base64-encoded payloads, eval(), or dynamic code execution
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No data exfiltration or C2 communication — all network calls go to the declared dfcfs.com API
✓ File writes are confined to the documented output directory /root/.openclaw/workspace/mx_data/output/
✓ No obfuscation techniques detected
✓ No hidden HTML comments or injected instructions
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)