中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
news-watcher
Cryptocurrency news watcher using Playwright - monitors CoinDesk/PANews and sends Telegram notifications via OpenClaw AI Agent
A legitimate cryptocurrency news watcher skill that uses Playwright to monitor news sites and sends Telegram notifications via OpenClaw CLI, with no malicious behavior detected.
技能名称news-watcher
分析耗时37.1s
引擎pi
可以安装
This skill is safe to use. No security concerns require action.

安全发现 2 项

严重性 安全发现 位置
低危
Suspicious unpinned dependency 供应链
package.json declares 'crypto: ^1.0.1' which is not a legitimate npm package (Node.js has built-in crypto). However, the code imports from Node's built-in 'crypto' module, so this is a placeholder with no runtime impact.
"crypto": "^1.0.1"
→ Remove the 'crypto' entry from dependencies - the built-in Node.js module is used automatically.
 package.json:11
低危
Minor documentation imprecision 文档欺骗
SKILL.md describes filesystem as READ but code writes to ~/.openclaw/cache/. However, this is scoped write access to a dedicated cache directory which is reasonable for the feature.
Cache writes to ~/.openclaw/cache/news-hash.json
→ Minor - no action required, behavior is reasonable.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 fs.writeFileSync for cache save (line 61) - scoped to ~/.openclaw/cache/
网络访问 READ READ ✓ 一致 Playwright page.goto for news sites + OpenClaw CLI network calls
命令执行 WRITE WRITE ✓ 一致 execFileSync('node', [OPENCLAW_MJS, ...]) at line 13 - only calls OpenClaw CLI
浏览器 READ READ ✓ 一致 Playwright chromium.launch() for news site scraping
环境变量 NONE READ ✓ 一致 Reads OPENCLAW_MJS, TELEGRAM_USER_ID, CHROME_PATH - all documented, no credentia…
2 项发现
🔗
中危 外部 URL 外部 URL
https://www.coindesk.com/zh
scripts/watch-news.js:35
🔗
中危 外部 URL 外部 URL
https://www.panewslab.com/zh
scripts/watch-news.js:41

目录结构

6 文件 · 34.8 KB · 1123 行
JavaScript 1f · 373L Text 1f · 373L Markdown 2f · 299L JSON 2f · 78L
├─ 📁 scripts
│ └─ 📜 watch-news.js JavaScript 373L · 12.4 KB
├─ 📋 package.json JSON 20L · 529 B
├─ 📝 README.md Markdown 141L · 3.1 KB
├─ 📋 skill.json JSON 58L · 2.0 KB
├─ 📝 SKILL.md Markdown 158L · 4.3 KB
└─ 📄 watch-news.txt Text 373L · 12.4 KB

依赖分析 2 项

包名版本来源已知漏洞备注
playwright ^1.40.0 npm Version range with caret - minor version flexibility
crypto ^1.0.1 npm This is a placeholder/typosquat package - Node.js built-in crypto is used instead

安全亮点

✓ Fully open-source with GitHub link provided for verification
✓ No base64 encoding, obfuscation, or hidden functionality
✓ No credential harvesting - only reads documented config env vars
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No data exfiltration or C2 communication patterns
✓ Shell execution is limited to OpenClaw CLI (documented and necessary)
✓ Cache writes are scoped to a dedicated application directory
✓ Legitimate use case: news monitoring and Telegram notifications