ai-daily 安全扫描报告 — 低风险 | ClawSafe

15 /100

ai-daily

AI Daily - Fetch latest AI insights from RSS and push to webhook channels

Legitimate RSS-fetching and webhook-pushing skill with minor documentation issues; hardcoded IP (120.0.0.0) is a TEST-NET-1 documentation address with no active malicious behavior detected.

技能名称ai-daily

分析耗时35.1s

引擎pi

✓

可以安装

Replace the hardcoded IP address in scripts/fetch.sh with a domain name or environment variable to avoid confusion. No other security action is required.

安全发现 2 项

严重性	安全发现	位置
低危	Hardcoded TEST-NET-1 IP address in fetch.sh 文档欺骗 Line 29 of scripts/fetch.sh contains the hardcoded IP address '120.0.0.0'. This IP falls within the RFC 5737 TEST-NET-1 documentation range (120.0.0.0/24) reserved for use in documentation and examples. While the IP does not appear to be used in active network requests, hardcoded IP addresses in scripts are flagged as suspicious indicators. `# 硬编码 IP 地址` → Remove the hardcoded IP reference or replace it with a descriptive comment explaining its TEST-NET-1 documentation-only purpose. Ensure no active network requests use this IP.	`scripts/fetch.sh:29`
低危	Placeholder webhook tokens in documentation 文档欺骗 SKILL.md uses example webhook URLs (api.day.app/your-token, other-webhook) in environment variable examples. While these are standard documentation placeholders, they could be mistaken for real configuration instructions. `export AI_DAILY_WEBHOOKS="https://api.day.app/your-token https://other-webhook"` → Consider using clearly-marked placeholder syntax (e.g., <YOUR_TOKEN>) or add a comment explicitly stating these are example values.	`SKILL.md:12`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	scripts/fetch.sh:41 urllib.request.urlopen(req) for RSS fetch
命令执行	`WRITE`	`WRITE`	✓ 一致	scripts/fetch.sh:4 source command to load config
环境变量	`READ`	`READ`	✓ 一致	scripts/fetch.sh:27 os.environ.get('AI_DAILY_WEBHOOKS')

1 高危 4 项发现

📡

高危 IP 地址硬编码 IP 地址

120.0.0.0

scripts/fetch.sh:29

🔗

中危外部 URL 外部 URL

https://api.day.app/your-token

SKILL.md:12

🔗

中危外部 URL 外部 URL

https://other-webhook

SKILL.md:12

🔗

中危外部 URL 外部 URL

https://justlovemaki.github.io/CloudFlare-AI-Insight-Daily/rss.xml

SKILL.md:18

目录结构

3 文件 · 6.5 KB · 215 行

Shell 2f · 142L Markdown 1f · 73L

├─ ▾ 📁 scripts

│ └─ 🔧 fetch.sh Shell 131L · 4.1 KB

├─ 🔧 config.sh Shell 11L · 401 B

└─ 📝 SKILL.md Markdown 73L · 2.1 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`feedparser`	`unpinned`	python3 stdlib or pip	否	feedparser is not imported via requirements.txt; the script relies on it being pre-installed
`urllib`	`stdlib`	python3 built-in	否	Standard library, no risk

安全亮点

✓ Skill behavior matches declared purpose: fetching RSS and pushing to user-configured webhooks

✓ All network requests target user-supplied webhook URLs (no hardcoded exfiltration endpoints)

✓ RSS source is a well-known public GitHub Pages repository

✓ No credential harvesting, no credential files accessed

✓ No obfuscation techniques detected (no base64, no eval, no encoded payloads)

✓ Python heredoc is used for RSS parsing, which is a legitimate and appropriate approach

✓ No supply chain risk: only standard library imports (feedparser, urllib, os, json, re)

✓ Webhook format detection logic is appropriate for the declared platforms (Bark, WeChat Work, Feishu, DingTalk)