hn-news-agent Security Report — Trusted | ClawSafe

5 /100

hn-news-agent

Hacker News 新闻采集与推送智能体 — fetches HN stories, classifies by topic, supports bilingual output, optional Feishu push

A straightforward Hacker News aggregation agent that fetches HN stories via the official Firebase API and optionally pushes summaries to a Feishu webhook — no shell execution, credential access, or hidden functionality.

Skill Namehn-news-agent

Duration24.3s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as described.

Findings 1 items

Severity	Finding	Location
Info	SKILL.md lists a classify.py script not present in scripts/ Doc Mismatch SKILL.md project structure references scripts/classify.py, but only fetch_hn.py and daily_report.py exist. Classification is inlined in fetch_hn.py. Minor doc inconsistency with no security impact. `scripts/ │ ├── fetch_hn.py # 抓取脚本 │ └── classify.py # 分类脚本` → Update SKILL.md to remove the non-existent classify.py reference, or add the file.	`SKILL.md:61`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	fetch_hn.py:9 — imports os, sys only for path manipulation
Network	`READ`	`READ`	✓ Aligned	fetch_hn.py:20 — requests.get to HN API; daily_report.py:86 — conditional POST t…
Shell	`NONE`	`NONE`	—	No subprocess, no os.system, no shell=True calls
Environment	`NONE`	`NONE`	—	No os.environ access for credential harvesting
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

3 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/bot/v2/hook/xxx

README.md:24

🔗

Medium External URL 外部 URL

https://hacker-news.firebaseio.com/v0

scripts/fetch_hn.py:20

🔗

Medium External URL 外部 URL

https://news.ycombinator.com

scripts/fetch_hn.py:21

File Tree

5 files · 17.3 KB · 624 lines

Python 2f · 400L Markdown 2f · 203L JSON 1f · 21L

├─ ▾ 📁 scripts

│ ├─ 🐍 daily_report.py Python 151L · 4.6 KB

│ └─ 🐍 fetch_hn.py Python 249L · 7.9 KB

├─ 🔑 config.json ⚠ JSON 21L · 730 B

├─ 📝 README.md Markdown 96L · 1.8 KB

└─ 📝 SKILL.md Markdown 107L · 2.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip	No	Optional import with graceful fallback to text note

Security Positives

✓ No shell execution (subprocess, os.system, shell=True)

✓ No credential harvesting — feishu_webhook is user-supplied in config.json, never harvested

✓ No obfuscation — all code is plain text, no base64, no eval

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No data exfiltration — network calls only to legitimate HN API and user-configured Feishu webhook

✓ No supply chain risk — only requests library (optional, with fallback)

✓ SKILL.md accurately describes all capabilities and behavior

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives