中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:21 小时前 重新扫描
5 /100
finloop-news-skill
Finloop 资讯API调用技能 - Financial news and stock quote API integration
This is a legitimate Finloop financial news and stock quote API integration skill with no malicious behavior detected.
技能名称finloop-news-skill
分析耗时37.7s
引擎pi
可以安装
This skill is safe to use. No security concerns were identified. The skill only makes declared HTTP requests to known financial data endpoints.
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 lib/install.js reads skill-manifest.json and copies files to .agents/skills/
网络访问 READ READ ✓ 一致 SKILL.md declares HTTP requests to ai-uat.finloopfintech.com and papi-uat.finloo…
命令执行 NONE NONE No shell execution in skill behavior; publish.sh uses npm CLI but is not invoked…
环境变量 NONE NONE No os.environ iteration or environment variable access detected
7 项发现
🔗
中危 外部 URL 外部 URL
https://ai-uat.finloopfintech.com
.agents/skills/finloop-news-skill/SKILL.md:30
🔗
中危 外部 URL 外部 URL
https://papi-uat.finloopg.com
.agents/skills/finloop-news-skill/SKILL.md:31
🔗
中危 外部 URL 外部 URL
https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/financeBreakfast
.agents/skills/finloop-news-skill/SKILL.md:43
🔗
中危 外部 URL 外部 URL
https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/informationList
.agents/skills/finloop-news-skill/SKILL.md:81
🔗
中危 外部 URL 外部 URL
https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/banner/list
.agents/skills/finloop-news-skill/SKILL.md:135
🔗
中危 外部 URL 外部 URL
https://ai-uat.finloopfintech.com/flp-news-api/v1/news-agent/bannerDetail
.agents/skills/finloop-news-skill/SKILL.md:161
🔗
中危 外部 URL 外部 URL
https://papi-uat.finloopg.com/flp-mktdata-hub/v1/stock/quote
.agents/skills/finloop-news-skill/SKILL.md:181

目录结构

7 文件 · 73.8 KB · 1921 行
Markdown 3f · 1643L JavaScript 2f · 213L Shell 1f · 39L JSON 1f · 26L
├─ 📁 .agents
│ └─ 📁 skills
│ └─ 📁 finloop-news-skill
│ ├─ 📁 references
│ │ └─ 📝 REFERENCE.md Markdown 663L · 24.8 KB
│ ├─ 📋 skill-manifest.json JSON 26L · 707 B
│ └─ 📝 SKILL.md Markdown 490L · 20.6 KB
├─ 📁 bin
│ └─ 📜 finloop-news-skills.js JavaScript 52L · 1.4 KB
├─ 📁 lib
│ └─ 📜 install.js JavaScript 161L · 4.8 KB
├─ 📁 scripts
│ └─ 🔧 publish.sh Shell 39L · 883 B
└─ 📝 SKILL.md Markdown 490L · 20.6 KB

依赖分析 3 项

包名版本来源已知漏洞备注
node:fs builtin node Built-in Node.js module, no external dependency
node:path builtin node Built-in Node.js module, no external dependency
node:child_process builtin node Built-in Node.js module, only used in publish script for npm CLI

安全亮点

✓ All network requests are explicitly declared in SKILL.md with specific endpoints and domains
✓ No credential harvesting or exfiltration detected
✓ No base64-encoded execution or obfuscated code
✓ No access to sensitive file paths (~/.ssh, ~/.aws, .env, etc.)
✓ Filesystem operations are limited to the .agents/skills/ directory
✓ No reverse shell, C2, or data theft patterns detected
✓ Uses only Node.js built-in modules (fs, path, child_process, readline)
✓ Well-documented API with comprehensive parameter specifications