ai-agent-news-aggregator 安全扫描报告 — 低风险 | ClawSafe

15 /100

ai-agent-news-aggregator

AI Agent 资讯聚合技能 - 搜集 AI Agent 领域最新资讯并推送到飞书群聊

A legitimate news aggregation skill with minor doc-to-code inconsistencies but no malicious behavior detected.

技能名称ai-agent-news-aggregator

分析耗时39.9s

引擎pi

✓

可以安装

This skill is safe to use. Consider documenting the subprocess usage in SKILL.md for transparency, but no immediate security action is required.

安全发现 2 项

严重性	安全发现	位置
低危	Undeclared subprocess execution 文档欺骗 run_pipeline.py uses subprocess.run() to execute Python scripts in the scripts/ directory, but SKILL.md does not declare shell execution as a capability. `result = subprocess.run(cmd, capture_output=True, text=True)` → Add shell:WRITE to the declared capabilities in SKILL.md if subprocess execution is intended	`scripts/run_pipeline.py:19`
提示	Tool name mismatch 文档欺骗 SKILL.md mentions 'ddg-search' and 'blogwatcher' as external dependencies, but the code only constructs URLs without actually invoking these tools. `SKILL.md: 'ddg-search' - DuckDuckGo 网页搜索` → Update SKILL.md to reflect that URLs are built and returned for external fetching	`SKILL.md vs scripts/search_news.py:36`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Reads config JSON files for keywords and channel_id
网络访问	`READ`	`READ`	✓ 一致	Makes HTTP requests to DuckDuckGo and RSS feeds for news aggregation
命令执行	`NONE`	`WRITE`	✓ 一致	run_pipeline.py:19 uses subprocess.run() to execute Python scripts

8 项发现

🔗

中危外部 URL 外部 URL

https://news.ycombinator.com/newest

SKILL.md:202

🔗

中危外部 URL 外部 URL

https://www.anthropic.com/news/rss.xml

SKILL.md:203

🔗

中危外部 URL 外部 URL

https://.../rss.xml

scripts/README.md:84

🔗

中危外部 URL 外部 URL

https://lite.duckduckgo.com/lite/

scripts/search_news.py:32

🔗

中危外部 URL 外部 URL

https://hnrss.org/newest?q=ai+agent

scripts/sources.json:15

🔗

中危外部 URL 外部 URL

https://huggingface.co/blog/feed.xml

scripts/sources.json:27

🔗

中危外部 URL 外部 URL

https://blog.langchain.dev/rss/

scripts/sources.json:31

🔗

中危外部 URL 外部 URL

https://lite.duckduckgo.com/lite/?q=AI+Agent+framework+OR+LangChain+new+release+OR+AutoGen+update+OR+CrewAI+OR+LlamaInde...

scripts/step1_search.json:2

目录结构

12 文件 · 33.9 KB · 1367 行

Python 7f · 893L Markdown 2f · 400L JSON 2f · 64L Text 1f · 10L

├─ ▾ 📁 scripts

│ ├─ 🐍 categorize.py Python 139L · 3.9 KB

│ ├─ 🐍 deduplicate.py Python 145L · 3.8 KB

│ ├─ 🐍 push_to_feishu.py Python 168L · 4.8 KB

│ ├─ 📝 README.md Markdown 137L · 2.3 KB

│ ├─ 📄 requirements.txt Text 10L · 351 B

│ ├─ 🐍 run_pipeline.py Python 145L · 4.6 KB

│ ├─ 🐍 search_news.py Python 111L · 3.2 KB

│ ├─ 📋 sources.json JSON 49L · 1.2 KB

│ ├─ 📋 step1_search.json JSON 15L · 457 B

│ ├─ 🐍 summarize.py Python 108L · 2.9 KB

│ └─ 🐍 test_push.py Python 77L · 1.8 KB

└─ 📝 SKILL.md Markdown 263L · 4.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`none (standard library only)`	`N/A`	pip	否	No external packages installed

安全亮点

✓ No external dependencies required (uses Python standard library only)

✓ No credential harvesting or sensitive path access

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No network exfiltration or C2 communication

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden functionality - all scripts perform declared tasks

✓ No supply chain risks (no unpinned dependencies)

✓ Legitimate news aggregation use case with transparent behavior