Scan Report
0 /100
hfmirror-trending
通过 HF-Mirror 公开 API 获取 Hugging Face 实时热门趋势,并生成结构化中文 Markdown 报告
This skill is a straightforward, benign Hugging Face trending data fetcher with zero external dependencies and no suspicious behavior.
Safe to install
No action needed. The skill is safe to use as designed.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | WRITE | ✓ Aligned | SKILL.md:27 — python scripts/summarize.py --fetch [out_path.md] writes to disk |
| Network | READ | READ | ✓ Aligned | SKILL.md:21 & scripts/summarize.py:22 — GET https://hf-mirror.com/api/trending |
| Shell | NONE | NONE | — | No subprocess/eval/os.system calls in scripts/summarize.py |
| Environment | NONE | NONE | — | No os.environ access in scripts/summarize.py |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No DB access |
1 findings
Medium External URL 外部 URL
https://hf-mirror.com/api/trending SKILL.md:21 File Tree
2 files · 7.2 KB · 178 lines Python 1f · 121L
Markdown 1f · 57L
├─
▾
scripts
│ └─
summarize.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ Zero external dependencies — uses only Python 3 standard library (json, urllib, os, sys)
✓ Code behavior fully matches SKILL.md documentation — no hidden functionality
✓ Makes a single outbound GET request to a well-known public API (hf-mirror.com)
✓ Uses a clear, identifiable User-Agent (hfmirror-trending-skill/1.0)
✓ No credential, environment variable, or sensitive path access
✓ No shell execution, subprocess, eval, or base64 decoding
✓ No data exfiltration or covert network channels
✓ Output is a local Markdown file — no external data transmission beyond the intended API call