daily-briefing 安全扫描报告 — 可信 | ClawSafe

5 /100

daily-briefing

Generate daily morning briefings with weather, traffic limits, and news

Legitimate daily briefing generation tool with declared network/shell access for weather and news data collection, no malicious behavior detected.

技能名称daily-briefing

分析耗时30.5s

引擎pi

✓

可以安装

Approve for use. Consider pinning cheerio dependency to a specific version for better reproducibility.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency version cheerio dependency uses caret range ^1.2.0 instead of a specific version, which may lead to unexpected updates `"cheerio": "^1.2.0"` → Pin to specific version for better reproducibility: "cheerio": "1.0.0-rc.12"	`package.json:12`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Creates .cache/ directory for data caching (data-collector.mjs:18)
网络访问	`READ`	`READ`	✓ 一致	Fetches weather from wttr.in and news from 163.com/sina.com.cn/sohu.com
命令执行	`WRITE`	`WRITE`	✓ 一致	execSync used for curl commands to public APIs
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen

README.md:3

🔗

中危外部 URL 外部 URL

https://nodejs.org/

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/license-MIT-blue

README.md:4

🔗

中危外部 URL 外部 URL

https://news.163.com$

scripts/news-collector.mjs:56

🔗

中危外部 URL 外部 URL

https://news.sina.com.cn$

scripts/news-collector.mjs:81

🔗

中危外部 URL 外部 URL

https://www.sohu.com$

scripts/news-collector.mjs:106

🔗

中危外部 URL 外部 URL

https://news.163.com

scripts/news-collector.mjs:162

🔗

中危外部 URL 外部 URL

https://news.sina.com.cn

scripts/news-collector.mjs:163

🔗

中危外部 URL 外部 URL

https://www.sohu.com

scripts/news-collector.mjs:164

📧

提示邮箱邮箱地址

[email protected]

README.md:178

目录结构

9 文件 · 54.7 KB · 1778 行

JavaScript 4f · 1031L Markdown 2f · 386L JSON 2f · 329L YAML 1f · 32L

├─ ▾ 📁 scripts

│ ├─ 📜 data-collector.mjs JavaScript 372L · 11.3 KB

│ ├─ 📜 generate-briefing.mjs JavaScript 187L · 5.3 KB

│ ├─ 📜 news-collector.mjs JavaScript 295L · 8.6 KB

│ └─ 📜 news-search.mjs JavaScript 177L · 4.9 KB

├─ 📋 manifest.yaml YAML 32L · 744 B

├─ 📋 package-lock.json JSON 313L · 11.0 KB

├─ 📋 package.json JSON 16L · 440 B

├─ 📝 README.md Markdown 219L · 6.3 KB

└─ 📝 SKILL.md Markdown 167L · 6.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`cheerio`	`^1.2.0`	npm	否	Version not pinned - uses caret range

安全亮点

✓ No credential harvesting or sensitive path access (~/.ssh, ~/.aws, .env)

✓ No data exfiltration to external servers

✓ No base64/eval obfuscation or hidden instructions

✓ All network requests target legitimate public APIs (wttr.in) and known news sites (163.com, sina.com.cn, sohu.com)

✓ Shell execution (execSync with curl) is declared in SKILL.md as data source method

✓ No reverse shell, C2, or remote code execution beyond documented API calls

✓ Cache directory is local to skill (.cache/) with no external transmission

✓ MIT licensed with clear authorship