News Brief - 新闻简报 Security Report — Trusted | ClawSafe

5 /100

News Brief - 新闻简报

Chinese news portal aggregation with Markdown/JSON/RSS output

Legitimate Chinese news aggregation skill with proper security controls and transparent behavior.

Skill NameNews Brief - 新闻简报

Duration27.5s

Enginepi

✓

Safe to install

No action needed. Skill is safe to use.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	fetch.py:335 reads @file JSON input only
Network	`READ`	`READ`	✓ Aligned	fetch.py:168-182 urllib.request.urlopen for HTTP fetching
Shell	`NONE`	`NONE`	—	No subprocess or os.system calls
Environment	`NONE`	`READ`	✓ Aligned	Reads optional NEWS_CN_* env vars for config only
Skill Invoke	`NONE`	`NONE`	—	No inter-skill calls

1 High 20 findings

📡

High IP Address 硬编码 IP 地址

122.0.0.0

SKILL.md:31

🔗

Medium External URL 外部 URL

https://www.jisuapi.com

SKILL.md:11

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:129

🔗

Medium External URL 外部 URL

https://www.36kr.com/newsflashes

fetch.py:36

🔗

Medium External URL 外部 URL

https://www.jiqizhixin.com

fetch.py:37

🔗

Medium External URL 外部 URL

https://www.qbitai.com

fetch.py:38

🔗

Medium External URL 外部 URL

https://www.ithome.com

fetch.py:39

🔗

Medium External URL 外部 URL

https://news.163.com/

fetch.py:41

🔗

Medium External URL 外部 URL

https://tech.163.com/

fetch.py:42

🔗

Medium External URL 外部 URL

https://news.sina.com.cn/

fetch.py:44

🔗

Medium External URL 外部 URL

https://tech.sina.com.cn/

fetch.py:45

🔗

Medium External URL 外部 URL

https://www.guancha.cn

fetch.py:46

🔗

Medium External URL 外部 URL

https://www.thepaper.cn

fetch.py:47

🔗

Medium External URL 外部 URL

https://www.solidot.org

fetch.py:48

🔗

Medium External URL 外部 URL

https://techcrunch.com

fetch.py:49

🔗

Medium External URL 外部 URL

https://www.theverge.com

fetch.py:50

🔗

Medium External URL 外部 URL

https://feeds.bbci.co.uk/zhongwen/trad/rss.xml

fetch.py:58

🔗

Medium External URL 外部 URL

https://feeds.bbci.co.uk/zhongwen/simp/rss.xml

fetch.py:59

🔗

Medium External URL 外部 URL

https://www.solidot.org/index.rss

fetch.py:60

📧

Info Email 邮箱地址

[email protected]

SKILL.md:12

File Tree

2 files · 31.9 KB · 874 lines

Python 1f · 735L Markdown 1f · 139L

├─ 🐍 fetch.py Python 735L · 24.8 KB

└─ 📝 SKILL.md Markdown 139L · 7.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`beautifulsoup4`	`*`	pip	No	Required for HTML parsing; version not pinned in docs but standard library wrapper included

Security Positives

✓ Uses only Python standard library + BeautifulSoup (no unknown dependencies)

✓ Blocks file:// scheme - only http(s) allowed

✓ Blocks localhost/private IPs by default via NEWS_CN_BLOCK_PRIVATE

✓ Optional domain whitelist via NEWS_CN_ALLOW_HOSTS

✓ No credential harvesting or environment variable iteration for secrets

✓ No subprocess or shell execution

✓ No data exfiltration or beaconing behavior

✓ No obfuscation (base64, eval, atob)

✓ Clear documentation of all functionality in SKILL.md

✓ Pre-scan hardcoded IP (122.0.0.0) is a false positive - it's Chrome version in User-Agent example

Scan Report

File Tree

Dependencies 1 items

Security Positives