ai-agent-news-aggregator Security Report — Low Risk | ClawSafe

15 /100

ai-agent-news-aggregator

AI Agent 资讯聚合技能 - 搜集 AI Agent 领域最新资讯并推送到飞书群聊

A legitimate news aggregation skill with minor doc-to-code inconsistencies but no malicious behavior detected.

Skill Nameai-agent-news-aggregator

Duration39.9s

Enginepi

✓

Safe to install

This skill is safe to use. Consider documenting the subprocess usage in SKILL.md for transparency, but no immediate security action is required.

Findings 2 items

Severity	Finding	Location
Low	Undeclared subprocess execution Doc Mismatch run_pipeline.py uses subprocess.run() to execute Python scripts in the scripts/ directory, but SKILL.md does not declare shell execution as a capability. `result = subprocess.run(cmd, capture_output=True, text=True)` → Add shell:WRITE to the declared capabilities in SKILL.md if subprocess execution is intended	`scripts/run_pipeline.py:19`
Info	Tool name mismatch Doc Mismatch SKILL.md mentions 'ddg-search' and 'blogwatcher' as external dependencies, but the code only constructs URLs without actually invoking these tools. `SKILL.md: 'ddg-search' - DuckDuckGo 网页搜索` → Update SKILL.md to reflect that URLs are built and returned for external fetching	`SKILL.md vs scripts/search_news.py:36`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	Reads config JSON files for keywords and channel_id
Network	`READ`	`READ`	✓ Aligned	Makes HTTP requests to DuckDuckGo and RSS feeds for news aggregation
Shell	`NONE`	`WRITE`	✓ Aligned	run_pipeline.py:19 uses subprocess.run() to execute Python scripts

8 findings

🔗

Medium External URL 外部 URL

https://news.ycombinator.com/newest

SKILL.md:202

🔗

Medium External URL 外部 URL

https://www.anthropic.com/news/rss.xml

SKILL.md:203

🔗

Medium External URL 外部 URL

https://.../rss.xml

scripts/README.md:84

🔗

Medium External URL 外部 URL

https://lite.duckduckgo.com/lite/

scripts/search_news.py:32

🔗

Medium External URL 外部 URL

https://hnrss.org/newest?q=ai+agent

scripts/sources.json:15

🔗

Medium External URL 外部 URL

https://huggingface.co/blog/feed.xml

scripts/sources.json:27

🔗

Medium External URL 外部 URL

https://blog.langchain.dev/rss/

scripts/sources.json:31

🔗

Medium External URL 外部 URL

https://lite.duckduckgo.com/lite/?q=AI+Agent+framework+OR+LangChain+new+release+OR+AutoGen+update+OR+CrewAI+OR+LlamaInde...

scripts/step1_search.json:2

File Tree

12 files · 33.9 KB · 1367 lines

Python 7f · 893L Markdown 2f · 400L JSON 2f · 64L Text 1f · 10L

├─ ▾ 📁 scripts

│ ├─ 🐍 categorize.py Python 139L · 3.9 KB

│ ├─ 🐍 deduplicate.py Python 145L · 3.8 KB

│ ├─ 🐍 push_to_feishu.py Python 168L · 4.8 KB

│ ├─ 📝 README.md Markdown 137L · 2.3 KB

│ ├─ 📄 requirements.txt Text 10L · 351 B

│ ├─ 🐍 run_pipeline.py Python 145L · 4.6 KB

│ ├─ 🐍 search_news.py Python 111L · 3.2 KB

│ ├─ 📋 sources.json JSON 49L · 1.2 KB

│ ├─ 📋 step1_search.json JSON 15L · 457 B

│ ├─ 🐍 summarize.py Python 108L · 2.9 KB

│ └─ 🐍 test_push.py Python 77L · 1.8 KB

└─ 📝 SKILL.md Markdown 263L · 4.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none (standard library only)`	`N/A`	pip	No	No external packages installed

Security Positives

✓ No external dependencies required (uses Python standard library only)

✓ No credential harvesting or sensitive path access

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No network exfiltration or C2 communication

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden functionality - all scripts perform declared tasks

✓ No supply chain risks (no unpinned dependencies)

✓ Legitimate news aggregation use case with transparent behavior

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives