中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:18 小时前 重新扫描
5 /100
spotify-news-digest
Scrape and summarize Spotify-related news from multiple sources, generate one-sentence Chinese summaries, and format them as a daily/weekly digest
This is a straightforward Spotify news digest aggregator with clean code, documented behavior, and no malicious indicators. All capabilities align with the stated purpose.
技能名称spotify-news-digest
分析耗时39.4s
引擎pi
可以安装
No action needed. The skill is safe to use as documented.

安全发现 1 项

严重性 安全发现 位置
低危
Loose dependency version pins 供应链
requirements.txt specifies 'feedparser>=6.0', 'requests>=2.28', 'ddgs>=7.0' without exact versions. While no known malicious versions exist for these packages, loose pinning allows unexpected future updates.
feedparser>=6.0
beautifulsoup4>=4.12
requests>=2.28
python-dateutil>=2.8
ddgs>=7.0
→ Pin exact versions (e.g., feedparser==6.0.11) to ensure reproducible, auditable builds.
 requirements.txt:1
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 requests.get() calls to RSS feeds and HN Algolia API; all endpoints declared in …
文件系统 READ READ ✓ 一致 Reads config/sources.json for source definitions; optional file writes to --outp…
命令执行 NONE NONE No subprocess or shell execution found
环境变量 NONE NONE No os.environ access; skill only reads hardcoded RSS/API endpoints
12 项发现
🔗
中危 外部 URL 外部 URL
https://engineering.atspotify.com/feed/
SKILL.md:230
🔗
中危 外部 URL 外部 URL
https://newsroom.spotify.com/feed/
config/sources.json:13
🔗
中危 外部 URL 外部 URL
https://research.atspotify.com/feed/
config/sources.json:20
🔗
中危 外部 URL 外部 URL
https://spotify.design/feed
config/sources.json:27
🔗
中危 外部 URL 外部 URL
https://techcrunch.com/tag/spotify/feed/
config/sources.json:34
🔗
中危 外部 URL 外部 URL
https://www.theverge.com/rss/index.xml
config/sources.json:41
🔗
中危 外部 URL 外部 URL
https://hn.algolia.com/api/v1/search?query=spotify&tags=story&hitsPerPage=20
config/sources.json:49
🔗
中危 外部 URL 外部 URL
https://www.musicbusinessworldwide.com/feed/
config/sources.json:56
🔗
中危 外部 URL 外部 URL
https://pitchfork.com/feed/feed-news/json
config/sources.json:65
🔗
中危 外部 URL 外部 URL
https://www.billboard.com/feed/
references/sources_reference.md:21
🔗
中危 外部 URL 外部 URL
https://hn.algolia.com/api/v1/search?query=spotify&tags=story
references/sources_reference.md:27
🔗
中危 外部 URL 外部 URL
https://news.ycombinator.com/item?id=
scripts/fetch_spotify_news.py:141

目录结构

7 文件 · 33.6 KB · 1008 行
Python 3f · 538L Markdown 2f · 386L JSON 1f · 79L Text 1f · 5L
├─ 📁 config
│ └─ 📋 sources.json JSON 79L · 1.9 KB
├─ 📁 references
│ └─ 📝 sources_reference.md Markdown 72L · 2.5 KB
├─ 📁 scripts
│ ├─ 🐍 fetch_spotify_news.py Python 287L · 10.6 KB
│ ├─ 🐍 generate_digest.py Python 60L · 1.9 KB
│ └─ 🐍 process_spotify_news.py Python 191L · 7.0 KB
├─ 📄 requirements.txt Text 5L · 83 B
└─ 📝 SKILL.md Markdown 314L · 9.6 KB

依赖分析 5 项

包名版本来源已知漏洞备注
feedparser >=6.0 pip Version not pinned; no known malicious versions
beautifulsoup4 >=4.12 pip Version not pinned; no known malicious versions
requests >=2.28 pip Version not pinned; no known malicious versions
python-dateutil >=2.8 pip Version not pinned; no known malicious versions
ddgs >=7.0 pip Version not pinned; no known malicious versions

安全亮点

✓ Clean, readable Python code with no obfuscation or base64 payloads
✓ All network activity is declared in SKILL.md and config/sources.json with explicit RSS/API endpoints
✓ No credential harvesting, data exfiltration, or persistence mechanisms
✓ No subprocess, shell execution, or eval patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ SSL context workaround (ssl._create_unverified_context) is a documented developer workaround for cert environments, not a data interception attempt
✓ Purpose is clearly documented and code behavior matches documentation