fund-advisor Security Report — Trusted | ClawSafe

5 /100

fund-advisor

场外公募基金配置顾问 Agent Skill，具备10年实战投资经验的资深理财经理角色

Pure documentation-only skill with no executable code, scripts, or binary files. All 7 files are Markdown documentation describing a fund advisor AI agent concept.

Skill Namefund-advisor

Duration23.6s

Enginepi

✓

Safe to install

No action required. This is a documentation-only skill package with no security concerns.

Findings 1 items

Severity	Finding	Location
Low	Loose version constraints in declared dependencies SKILL.md declares requirements (coze-coding-dev-sdk>=0.5.11, langchain>=1.0, langgraph>=1.0) without upper bounds, increasing supply chain risk if these were ever installed. However, since this is a documentation-only package with no actual dependency installation, the practical risk is negligible. `requirements: ["coze-coding-dev-sdk>=0.5.11", "langchain>=1.0", "langgraph>=1.0"]` → Pin exact versions (e.g., coze-coding-dev-sdk==0.5.11) if this skill ever includes a dependency manifest.	`SKILL.md:14`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations; SKILL.md declares no filesystem access
Network	`NONE`	`NONE`	—	No network calls declared or implemented; external data access via integrated sk…
Shell	`NONE`	`NONE`	—	No shell execution, no subprocess calls, no scripts found
Environment	`NONE`	`NONE`	—	No environment variable access documented or implemented
Skill Invoke	`READ`	`NONE`	✓ Aligned	Mentions web-search, document-generation, knowledge, feishu-message skill integr…
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access; mentions /tmp storage for data but no DB operations

File Tree

7 files · 77.4 KB · 3020 lines

Markdown 7f · 3020L

├─ ▾ 📁 examples

│ └─ 📝 usage-examples.md Markdown 291L · 6.0 KB

├─ ▾ 📁 references

│ ├─ 📝 agent-best-practices.md Markdown 575L · 15.5 KB

│ ├─ 📝 data-storage.md Markdown 824L · 20.8 KB

│ ├─ 📝 skill-integration.md Markdown 543L · 12.3 KB

│ └─ 📝 tool-development.md Markdown 421L · 10.6 KB

├─ 📝 README.md Markdown 78L · 2.4 KB

└─ 📝 SKILL.md Markdown 288L · 9.7 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`coze-coding-dev-sdk`	`>=0.5.11`	SKILL.md declared	No	No upper bound; only declared, not installed or executed
`langchain`	`>=1.0`	SKILL.md declared	No	No upper bound; only declared, not installed or executed
`langgraph`	`>=1.0`	SKILL.md declared	No	No upper bound; only declared, not installed or executed

Security Positives

✓ No executable scripts, code files, or binaries — 100% documentation

✓ No credential harvesting or sensitive path access

✓ No network exfiltration patterns (no curl|bash, wget|sh, eval, atob)

✓ No hidden functionality — documentation and declared capabilities are consistent

✓ No base64-encoded payloads or obfuscated code

✓ No suspicious IOC indicators (pre-scan found zero IOCs)

✓ Uses /tmp for data storage as documented, no exfiltration paths

✓ Includes investment risk disclaimers and合规性 guidance

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives