中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:21 hr ago Rescan
15 /100
ai-daily
AI Daily - Fetch latest AI insights from RSS and push to webhook channels
Legitimate RSS-fetching and webhook-pushing skill with minor documentation issues; hardcoded IP (120.0.0.0) is a TEST-NET-1 documentation address with no active malicious behavior detected.
Skill Nameai-daily
Duration35.1s
Enginepi
Safe to install
Replace the hardcoded IP address in scripts/fetch.sh with a domain name or environment variable to avoid confusion. No other security action is required.

Findings 2 items

Severity Finding Location
Low
Hardcoded TEST-NET-1 IP address in fetch.sh Doc Mismatch
Line 29 of scripts/fetch.sh contains the hardcoded IP address '120.0.0.0'. This IP falls within the RFC 5737 TEST-NET-1 documentation range (120.0.0.0/24) reserved for use in documentation and examples. While the IP does not appear to be used in active network requests, hardcoded IP addresses in scripts are flagged as suspicious indicators.
# 硬编码 IP 地址
→ Remove the hardcoded IP reference or replace it with a descriptive comment explaining its TEST-NET-1 documentation-only purpose. Ensure no active network requests use this IP.
 scripts/fetch.sh:29
Low
Placeholder webhook tokens in documentation Doc Mismatch
SKILL.md uses example webhook URLs (api.day.app/your-token, other-webhook) in environment variable examples. While these are standard documentation placeholders, they could be mistaken for real configuration instructions.
export AI_DAILY_WEBHOOKS="https://api.day.app/your-token https://other-webhook"
→ Consider using clearly-marked placeholder syntax (e.g., <YOUR_TOKEN>) or add a comment explicitly stating these are example values.
 SKILL.md:12
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned scripts/fetch.sh:41 urllib.request.urlopen(req) for RSS fetch
Shell WRITE WRITE ✓ Aligned scripts/fetch.sh:4 source command to load config
Environment READ READ ✓ Aligned scripts/fetch.sh:27 os.environ.get('AI_DAILY_WEBHOOKS')
1 High 4 findings
📡
High IP Address 硬编码 IP 地址
120.0.0.0
scripts/fetch.sh:29
🔗
Medium External URL 外部 URL
https://api.day.app/your-token
SKILL.md:12
🔗
Medium External URL 外部 URL
https://other-webhook
SKILL.md:12
🔗
Medium External URL 外部 URL
https://justlovemaki.github.io/CloudFlare-AI-Insight-Daily/rss.xml
SKILL.md:18

File Tree

3 files · 6.5 KB · 215 lines
Shell 2f · 142L Markdown 1f · 73L
├─ 📁 scripts
│ └─ 🔧 fetch.sh Shell 131L · 4.1 KB
├─ 🔧 config.sh Shell 11L · 401 B
└─ 📝 SKILL.md Markdown 73L · 2.1 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
feedparser unpinned python3 stdlib or pip No feedparser is not imported via requirements.txt; the script relies on it being pre-installed
urllib stdlib python3 built-in No Standard library, no risk

Security Positives

✓ Skill behavior matches declared purpose: fetching RSS and pushing to user-configured webhooks
✓ All network requests target user-supplied webhook URLs (no hardcoded exfiltration endpoints)
✓ RSS source is a well-known public GitHub Pages repository
✓ No credential harvesting, no credential files accessed
✓ No obfuscation techniques detected (no base64, no eval, no encoded payloads)
✓ Python heredoc is used for RSS parsing, which is a legitimate and appropriate approach
✓ No supply chain risk: only standard library imports (feedparser, urllib, os, json, re)
✓ Webhook format detection logic is appropriate for the declared platforms (Bark, WeChat Work, Feishu, DingTalk)