daily-briefing Security Report — Trusted | ClawSafe

5 /100

daily-briefing

Generate daily morning briefings with weather, traffic limits, and news

Legitimate daily briefing generation tool with declared network/shell access for weather and news data collection, no malicious behavior detected.

Skill Namedaily-briefing

Duration30.5s

Enginepi

✓

Safe to install

Approve for use. Consider pinning cheerio dependency to a specific version for better reproducibility.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency version cheerio dependency uses caret range ^1.2.0 instead of a specific version, which may lead to unexpected updates `"cheerio": "^1.2.0"` → Pin to specific version for better reproducibility: "cheerio": "1.0.0-rc.12"	`package.json:12`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Creates .cache/ directory for data caching (data-collector.mjs:18)
Network	`READ`	`READ`	✓ Aligned	Fetches weather from wttr.in and news from 163.com/sina.com.cn/sohu.com
Shell	`WRITE`	`WRITE`	✓ Aligned	execSync used for curl commands to public APIs
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

10 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen

README.md:3

🔗

Medium External URL 外部 URL

https://nodejs.org/

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/license-MIT-blue

README.md:4

🔗

Medium External URL 外部 URL

https://news.163.com$

scripts/news-collector.mjs:56

🔗

Medium External URL 外部 URL

https://news.sina.com.cn$

scripts/news-collector.mjs:81

🔗

Medium External URL 外部 URL

https://www.sohu.com$

scripts/news-collector.mjs:106

🔗

Medium External URL 外部 URL

https://news.163.com

scripts/news-collector.mjs:162

🔗

Medium External URL 外部 URL

https://news.sina.com.cn

scripts/news-collector.mjs:163

🔗

Medium External URL 外部 URL

https://www.sohu.com

scripts/news-collector.mjs:164

📧

Info Email 邮箱地址

[email protected]

README.md:178

File Tree

9 files · 54.7 KB · 1778 lines

JavaScript 4f · 1031L Markdown 2f · 386L JSON 2f · 329L YAML 1f · 32L

├─ ▾ 📁 scripts

│ ├─ 📜 data-collector.mjs JavaScript 372L · 11.3 KB

│ ├─ 📜 generate-briefing.mjs JavaScript 187L · 5.3 KB

│ ├─ 📜 news-collector.mjs JavaScript 295L · 8.6 KB

│ └─ 📜 news-search.mjs JavaScript 177L · 4.9 KB

├─ 📋 manifest.yaml YAML 32L · 744 B

├─ 📋 package-lock.json JSON 313L · 11.0 KB

├─ 📋 package.json JSON 16L · 440 B

├─ 📝 README.md Markdown 219L · 6.3 KB

└─ 📝 SKILL.md Markdown 167L · 6.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`cheerio`	`^1.2.0`	npm	No	Version not pinned - uses caret range

Security Positives

✓ No credential harvesting or sensitive path access (~/.ssh, ~/.aws, .env)

✓ No data exfiltration to external servers

✓ No base64/eval obfuscation or hidden instructions

✓ All network requests target legitimate public APIs (wttr.in) and known news sites (163.com, sina.com.cn, sohu.com)

✓ Shell execution (execSync with curl) is declared in SKILL.md as data source method

✓ No reverse shell, C2, or remote code execution beyond documented API calls

✓ Cache directory is local to skill (.cache/) with no external transmission

✓ MIT licensed with clear authorship

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives