finloop-news-skill Security Report — Trusted | ClawSafe

5 /100

finloop-news-skill

Finloop 资讯API调用技能 - Financial news and stock quote API integration

This is a legitimate Finloop financial news and stock quote API integration skill with no malicious behavior detected.

Skill Namefinloop-news-skill

Duration37.7s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns were identified. The skill only makes declared HTTP requests to known financial data endpoints.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	lib/install.js reads skill-manifest.json and copies files to .agents/skills/
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares HTTP requests to ai-uat.finloopfintech.com and papi-uat.finloo…
Shell	`NONE`	`NONE`	—	No shell execution in skill behavior; publish.sh uses npm CLI but is not invoked…
Environment	`NONE`	`NONE`	—	No os.environ iteration or environment variable access detected

7 findings

🔗

Medium External URL 外部 URL

https://ai-uat.finloopfintech.com

.agents/skills/finloop-news-skill/SKILL.md:30

🔗

Medium External URL 外部 URL

https://papi-uat.finloopg.com

.agents/skills/finloop-news-skill/SKILL.md:31

🔗

Medium External URL 外部 URL

https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/financeBreakfast

.agents/skills/finloop-news-skill/SKILL.md:43

🔗

Medium External URL 外部 URL

https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/informationList

.agents/skills/finloop-news-skill/SKILL.md:81

🔗

Medium External URL 外部 URL

https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/banner/list

.agents/skills/finloop-news-skill/SKILL.md:135

🔗

Medium External URL 外部 URL

https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/bannerDetail

.agents/skills/finloop-news-skill/SKILL.md:161

🔗

Medium External URL 外部 URL

https://papi-uat.finloopg.com/flp-mktdata-hub/v1/stock/quote

.agents/skills/finloop-news-skill/SKILL.md:181

File Tree

7 files · 73.8 KB · 1921 lines

Markdown 3f · 1643L JavaScript 2f · 213L Shell 1f · 39L JSON 1f · 26L

├─ ▾ 📁 .agents

│ └─ ▾ 📁 skills

│ └─ ▾ 📁 finloop-news-skill

│ ├─ ▾ 📁 references

│ │ └─ 📝 REFERENCE.md Markdown 663L · 24.8 KB

│ ├─ 📋 skill-manifest.json JSON 26L · 707 B

│ └─ 📝 SKILL.md Markdown 490L · 20.6 KB

├─ ▾ 📁 bin

│ └─ 📜 finloop-news-skills.js JavaScript 52L · 1.4 KB

├─ ▾ 📁 lib

│ └─ 📜 install.js JavaScript 161L · 4.8 KB

├─ ▾ 📁 scripts

│ └─ 🔧 publish.sh Shell 39L · 883 B

└─ 📝 SKILL.md Markdown 490L · 20.6 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`node:fs`	`builtin`	node	No	Built-in Node.js module, no external dependency
`node:path`	`builtin`	node	No	Built-in Node.js module, no external dependency
`node:child_process`	`builtin`	node	No	Built-in Node.js module, only used in publish script for npm CLI

Security Positives

✓ All network requests are explicitly declared in SKILL.md with specific endpoints and domains

✓ No credential harvesting or exfiltration detected

✓ No base64-encoded execution or obfuscated code

✓ No access to sensitive file paths (~/.ssh, ~/.aws, .env, etc.)

✓ Filesystem operations are limited to the .agents/skills/ directory

✓ No reverse shell, C2, or data theft patterns detected

✓ Uses only Node.js built-in modules (fs, path, child_process, readline)

✓ Well-documented API with comprehensive parameter specifications

Scan Report

File Tree

Dependencies 3 items

Security Positives