quotedance-market 安全扫描报告 — 可信 | ClawSafe

5 /100

quotedance-market

专业的全球市场投研日报技能，提供结构化、有思考维度的市场分析

This is a legitimate market research skill that aggregates financial data from public APIs and news feeds. All capabilities are appropriate for the declared purpose.

技能名称quotedance-market

分析耗时27.0s

引擎pi

✓

可以安装

No action needed. The skill performs standard market data aggregation with appropriate network access and local caching.

安全发现 3 项

严重性	安全发现	位置
低危	Curl fallback not documented in SKILL.md The config.json enables curl fallback (enableCurlFallback: true) but SKILL.md does not mention this behavior. However, this is a legitimate network resilience pattern documented in config.json. `return execFileSync('curl', args, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] });` → Add curl fallback to SKILL.md documentation for transparency	`scripts/market-scan.js:147`
提示	Environment variable access for API key The script reads process.env.QUTEDANCE_API_KEY as a fallback. This is legitimate for service authentication. `const key = CONFIG.apiKey \|\| process.env.QUTEDANCE_API_KEY \|\| '';` → No action needed - this is standard authentication pattern	`scripts/market-scan.js:199`
提示	Unused rsshubUrl in config config.json defines rsshubUrl but the code does not use it. `"rsshubUrl": "http://localhost:1200"` → Remove unused configuration if not needed	`config.json:4`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	Uses fetch() and execFileSync('curl') for data retrieval from Yahoo Finance, Blo…
文件系统	`NONE`	`READ`	✓ 一致	Reads config.json at line 12
文件系统	`NONE`	`WRITE`	✓ 一致	Writes to memory/ directory for caching (lines 35-36, 392-394)
命令执行	`NONE`	`READ`	✓ 一致	execFileSync('curl') used as network fallback, not arbitrary command execution

14 项发现

🔗

中危外部 URL 外部 URL

https://quotedance.api.gapgap.cc

SKILL.md:31

🔗

中危外部 URL 外部 URL

https://query1.finance.yahoo.com/v7/finance/quote?symbols=

scripts/market-scan.js:233

🔗

中危外部 URL 外部 URL

https://query2.finance.yahoo.com/v8/finance/chart/

scripts/market-scan.js:252

🔗

中危外部 URL 外部 URL

https://stooq.com/q/l/?s=

scripts/market-scan.js:279

🔗

中危外部 URL 外部 URL

https://feeds.bloomberg.com/markets/news.rss

scripts/market-scan.js:475

🔗

中危外部 URL 外部 URL

https://news.google.com/rss/search?q=Bloomberg+market&hl=en-US&gl=US&ceid=US:en

scripts/market-scan.js:476

🔗

中危外部 URL 外部 URL

https://feeds.reuters.com/reuters/businessNews

scripts/market-scan.js:482

🔗

中危外部 URL 外部 URL

https://news.google.com/rss/search?q=Reuters+markets&hl=en-US&gl=US&ceid=US:en

scripts/market-scan.js:483

🔗

中危外部 URL 外部 URL

https://wallstreetcn.com/rss

scripts/market-scan.js:489

🔗

中危外部 URL 外部 URL

https://news.google.com/rss/search?q=%E5%8D%8E%E5%B0%94%E8%A1%97%E8%A7%81%E9%97%BB&hl=zh-CN&gl=CN&ceid=CN:zh-Hans

scripts/market-scan.js:490

🔗

中危外部 URL 外部 URL

https://www.jin10.com/rss

scripts/market-scan.js:496

🔗

中危外部 URL 外部 URL

https://news.google.com/rss/search?q=%E9%87%91%E5%8D%81%E6%95%B0%E6%8D%AE&hl=zh-CN&gl=CN&ceid=CN:zh-Hans

scripts/market-scan.js:497

🔗

中危外部 URL 外部 URL

https://www.coindesk.com/arc/outboundfeeds/rss/

scripts/market-scan.js:502

🔗

中危外部 URL 外部 URL

https://www.theblock.co/rss.xml

scripts/market-scan.js:506

目录结构

3 文件 · 31.1 KB · 1092 行

JavaScript 1f · 857L Markdown 1f · 201L JSON 1f · 34L

├─ ▾ 📁 scripts

│ └─ 📜 market-scan.js JavaScript 857L · 25.7 KB

├─ 🔑 config.json ⚠ JSON 34L · 813 B

└─ 📝 SKILL.md Markdown 201L · 4.6 KB

安全亮点

✓ All network requests are to legitimate, publicly documented financial data sources

✓ No credential harvesting or exfiltration behavior

✓ File writes are limited to local memory/ cache directory for legitimate caching purposes

✓ Shell execution via curl is controlled and used only for network fallback

✓ API key access is properly scoped to configuration, not general environment scanning

✓ No obfuscated code, base64 payloads, or hidden instructions

✓ Code is well-structured and readable