fund-advisor 安全扫描报告 — 可信 | ClawSafe

5 /100

fund-advisor

场外公募基金配置顾问 Agent Skill，具备10年实战投资经验的资深理财经理角色

Pure documentation-only skill with no executable code, scripts, or binary files. All 7 files are Markdown documentation describing a fund advisor AI agent concept.

技能名称fund-advisor

分析耗时23.6s

引擎pi

✓

可以安装

No action required. This is a documentation-only skill package with no security concerns.

安全发现 1 项

严重性	安全发现	位置
低危	Loose version constraints in declared dependencies SKILL.md declares requirements (coze-coding-dev-sdk>=0.5.11, langchain>=1.0, langgraph>=1.0) without upper bounds, increasing supply chain risk if these were ever installed. However, since this is a documentation-only package with no actual dependency installation, the practical risk is negligible. `requirements: ["coze-coding-dev-sdk>=0.5.11", "langchain>=1.0", "langgraph>=1.0"]` → Pin exact versions (e.g., coze-coding-dev-sdk==0.5.11) if this skill ever includes a dependency manifest.	`SKILL.md:14`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations; SKILL.md declares no filesystem access
网络访问	`NONE`	`NONE`	—	No network calls declared or implemented; external data access via integrated sk…
命令执行	`NONE`	`NONE`	—	No shell execution, no subprocess calls, no scripts found
环境变量	`NONE`	`NONE`	—	No environment variable access documented or implemented
技能调用	`READ`	`NONE`	✓ 一致	Mentions web-search, document-generation, knowledge, feishu-message skill integr…
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access; mentions /tmp storage for data but no DB operations

目录结构

7 文件 · 77.4 KB · 3020 行

Markdown 7f · 3020L

├─ ▾ 📁 examples

│ └─ 📝 usage-examples.md Markdown 291L · 6.0 KB

├─ ▾ 📁 references

│ ├─ 📝 agent-best-practices.md Markdown 575L · 15.5 KB

│ ├─ 📝 data-storage.md Markdown 824L · 20.8 KB

│ ├─ 📝 skill-integration.md Markdown 543L · 12.3 KB

│ └─ 📝 tool-development.md Markdown 421L · 10.6 KB

├─ 📝 README.md Markdown 78L · 2.4 KB

└─ 📝 SKILL.md Markdown 288L · 9.7 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`coze-coding-dev-sdk`	`>=0.5.11`	SKILL.md declared	否	No upper bound; only declared, not installed or executed
`langchain`	`>=1.0`	SKILL.md declared	否	No upper bound; only declared, not installed or executed
`langgraph`	`>=1.0`	SKILL.md declared	否	No upper bound; only declared, not installed or executed

安全亮点

✓ No executable scripts, code files, or binaries — 100% documentation

✓ No credential harvesting or sensitive path access

✓ No network exfiltration patterns (no curl|bash, wget|sh, eval, atob)

✓ No hidden functionality — documentation and declared capabilities are consistent

✓ No base64-encoded payloads or obfuscated code

✓ No suspicious IOC indicators (pre-scan found zero IOCs)

✓ Uses /tmp for data storage as documented, no exfiltration paths

✓ Includes investment risk disclaimers and合规性 guidance