tradingview-screener 安全扫描报告 — 可信 | ClawSafe

5 /100

tradingview-screener

Screen markets across 6 asset classes using TradingView data

A clean, legitimate market data screening tool with no security concerns. All capabilities match documentation, expression sandboxing is properly implemented, and no sensitive operations are performed.

技能名称tradingview-screener

分析耗时39.4s

引擎pi

✓

可以安装

This skill is safe to use. No action required.

安全发现 1 项

严重性	安全发现	位置
低危	Expression validation uses keyword blocklist 敏感访问 signal_types.py blocks dangerous keywords like 'import', 'exec', 'eval', 'open', 'os', 'sys', 'lambda' in user expressions. While df.eval() provides inherent DataFrame sandboxing, the blocklist approach could miss some edge cases. `EXPR_BLOCKED_KEYWORDS = {'import', 'exec', 'eval', '__', 'open', 'os', 'sys', 'lambda'}` → Consider using AST parsing instead of regex for more robust validation	`scripts/signal_types.py:22`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Reads YAML config files only
网络访问	`NONE`	`READ`	✓ 一致	tvscreener library makes public API calls
命令执行	`NONE`	`NONE`	—	No shell execution found
环境变量	`NONE`	`NONE`	—	No environment variable access

目录结构

19 文件 · 59.6 KB · 2145 行

Markdown 5f · 1032L Python 7f · 881L YAML 4f · 166L Shell 1f · 51L JSON 1f · 11L Text 1f · 4L

├─ ▾ 📁 assets

│ └─ 📋 signal-template.yaml YAML 58L · 1.6 KB

├─ ▾ 📁 references

│ ├─ 📝 computed-signals-guide.md Markdown 222L · 5.0 KB

│ ├─ 📝 field-presets.md Markdown 281L · 6.9 KB

│ ├─ 📝 strategy-templates.md Markdown 235L · 5.8 KB

│ └─ 📝 tvscreener-api-guide.md Markdown 174L · 4.5 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 tests

│ │ ├─ 🐍 __init__.py Python 0 B

│ │ ├─ 🐍 test_screen.py Python 135L · 3.9 KB

│ │ └─ 🐍 test_signal_engine.py Python 191L · 5.9 KB

│ ├─ 📄 requirements.txt Text 4L · 58 B

│ ├─ 🐍 screen.py Python 125L · 4.5 KB

│ ├─ 🐍 screener_constants.py Python 88L · 2.9 KB

│ ├─ 🐍 signal_engine.py Python 169L · 5.5 KB

│ └─ 🐍 signal_types.py Python 173L · 5.5 KB

├─ ▾ 📁 state

│ └─ ▾ 📁 signals

│ ├─ 📋 golden-cross.yaml YAML 35L · 728 B

│ ├─ 📋 oversold-bounce.yaml YAML 36L · 766 B

│ └─ 📋 volume-breakout.yaml YAML 37L · 772 B

├─ 📋 _meta.json JSON 11L · 292 B

├─ 🔧 install.sh Shell 51L · 1.2 KB

└─ 📝 SKILL.md Markdown 120L · 3.8 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`tvscreener`	`>=0.2.0`	pip	否	Public TradingView API wrapper
`pandas`	`>=2.0.0`	pip	否	Standard data analysis library
`pyyaml`	`>=6.0`	pip	否	Uses yaml.safe_load for YAML parsing
`pytest`	`>=7.0.0`	pip	否	Development dependency only

安全亮点

✓ No credential harvesting or environment variable access

✓ No shell execution or subprocess calls

✓ No file writes to sensitive paths

✓ No base64 encoding or obfuscation

✓ Expression validation with blocked keywords and df.eval() sandboxing

✓ Clean, documented market data operations only

✓ No external data exfiltration

✓ Proper test coverage validates behavior