clawforage-knowledge-harvester 安全扫描报告 — 可信 | ClawSafe

5 /100

clawforage-knowledge-harvester

Daily automated briefings — fetches trending content via Google News RSS, summarizes into memory for RAG retrieval

A straightforward RSS-based knowledge harvester with no malicious behavior, fully documented shell usage, and clean capabilities aligned with its stated purpose.

技能名称clawforage-knowledge-harvester

分析耗时29.1s

引擎pi

✓

可以安装

Approve for use. No security concerns identified.

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: memory/knowledge/ directory write; SKILL.md:memory/clawforage/domains.…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Google News RSS (read-only); scripts/fetch-articles.sh:62: curl -sL
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md _meta metadata: requires bash,jq,curl; scripts use set -euo pipefail th…
环境变量	`NONE`	`NONE`	—	No environment variable access found
技能调用	`NONE`	`NONE`	—	No cross-skill invocation found

2 项发现

🔗

中危外部 URL 外部 URL

https://inspireehub.ai

README.md:61

🔗

中危外部 URL 外部 URL

https://news.google.com/rss/search?q=$

scripts/fetch-articles.sh:60

目录结构

7 文件 · 10.5 KB · 345 行

Markdown 4f · 199L Shell 3f · 146L

├─ ▾ 📁 scripts

│ ├─ 🔧 dedup-articles.sh Shell 24L · 981 B

│ ├─ 🔧 fetch-articles.sh Shell 68L · 2.7 KB

│ └─ 🔧 validate-knowledge.sh Shell 54L · 1.3 KB

├─ ▾ 📁 templates

│ ├─ 📝 domains-example.md Markdown 12L · 367 B

│ └─ 📝 knowledge-article.md Markdown 13L · 274 B

├─ 📝 README.md Markdown 62L · 1.7 KB

└─ 📝 SKILL.md Markdown 112L · 3.3 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`bash`	`4+`	system	否	Declared in _meta; no version pinning
`jq`	`*`	system	否	Declared in _meta; no version pinning
`curl`	`*`	system	否	Declared in _meta; no version pinning

安全亮点

✓ All shell execution is explicitly declared in SKILL.md via {baseDir} and _meta metadata

✓ Pure awk-based RSS parsing — no binary dependencies beyond jq/curl

✓ set -euo pipefail used throughout all scripts for safe failure modes

✓ Network access is read-only (RSS feed fetch) and limited to Google News

✓ No credential, key, or sensitive path access

✓ No obfuscation, base64, eval, or dynamic code execution

✓ Deduplication via URL comparison — no external communication for comparison

✓ Strict output format validation prevents content injection

✓ Skill constraints explicitly cap rate limits (100 API calls/run, 10 articles/domain)

✓ Legitimate source: Google News RSS — a public, free, no-auth API