中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
hn-news-agent
Hacker News 新闻采集与推送智能体 — fetches HN stories, classifies by topic, supports bilingual output, optional Feishu push
A straightforward Hacker News aggregation agent that fetches HN stories via the official Firebase API and optionally pushes summaries to a Feishu webhook — no shell execution, credential access, or hidden functionality.
技能名称hn-news-agent
分析耗时24.3s
引擎pi
可以安装
No action needed. The skill is safe to use as described.

安全发现 1 项

严重性 安全发现 位置
提示
SKILL.md lists a classify.py script not present in scripts/ 文档欺骗
SKILL.md project structure references scripts/classify.py, but only fetch_hn.py and daily_report.py exist. Classification is inlined in fetch_hn.py. Minor doc inconsistency with no security impact.
scripts/
│   ├── fetch_hn.py      # 抓取脚本
│   └── classify.py      # 分类脚本
→ Update SKILL.md to remove the non-existent classify.py reference, or add the file.
 SKILL.md:61
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 fetch_hn.py:9 — imports os, sys only for path manipulation
网络访问 READ READ ✓ 一致 fetch_hn.py:20 — requests.get to HN API; daily_report.py:86 — conditional POST t…
命令执行 NONE NONE No subprocess, no os.system, no shell=True calls
环境变量 NONE NONE No os.environ access for credential harvesting
技能调用 NONE NONE No cross-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
3 项发现
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis/bot/v2/hook/xxx
README.md:24
🔗
中危 外部 URL 外部 URL
https://hacker-news.firebaseio.com/v0
scripts/fetch_hn.py:20
🔗
中危 外部 URL 外部 URL
https://news.ycombinator.com
scripts/fetch_hn.py:21

目录结构

5 文件 · 17.3 KB · 624 行
Python 2f · 400L Markdown 2f · 203L JSON 1f · 21L
├─ 📁 scripts
│ ├─ 🐍 daily_report.py Python 151L · 4.6 KB
│ └─ 🐍 fetch_hn.py Python 249L · 7.9 KB
├─ 🔑 config.json JSON 21L · 730 B
├─ 📝 README.md Markdown 96L · 1.8 KB
└─ 📝 SKILL.md Markdown 107L · 2.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests unpinned pip Optional import with graceful fallback to text note

安全亮点

✓ No shell execution (subprocess, os.system, shell=True)
✓ No credential harvesting — feishu_webhook is user-supplied in config.json, never harvested
✓ No obfuscation — all code is plain text, no base64, no eval
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No data exfiltration — network calls only to legitimate HN API and user-configured Feishu webhook
✓ No supply chain risk — only requests library (optional, with fallback)
✓ SKILL.md accurately describes all capabilities and behavior