Scan Report
15 /100
trump-news-daily
每日拉取特朗普相关新闻(来自官方与主流通讯社信息源),经 AI 翻译成中文、编辑后推送给用户
This is a legitimate Trump news aggregation skill that fetches RSS feeds and official APIs; minor documentation gaps around credential access patterns do not constitute malicious behavior.
Safe to install
Approve for use with standard precautions. Consider explicitly documenting environment variable access for Truth Social credentials in SKILL.md for full transparency.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Truth Social credential environment variables not explicitly declared in SKILL.md Doc Mismatch | scripts/fetch_truth_social.py:35 |
| Low | Subprocess execution not declared in SKILL.md Doc Mismatch | scripts/fetch_trump_news.py:112 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | config/sources.json read at startup, SKILL.md references config |
| Network | READ | READ | ✓ Aligned | urllib.urlopen() to RSS feeds and Federal Register API (lines 75-132) |
| Shell | NONE | WRITE | ✓ Aligned | subprocess.run(sys.executable, ...) at fetch_trump_news.py:112 |
| Environment | NONE | READ | ✓ Aligned | os.environ.get(TRUTHSOCIAL_*) at fetch_truth_social.py:35-37 |
| Skill Invoke | NONE | NONE | — | N/A |
| Clipboard | NONE | NONE | — | N/A |
| Browser | NONE | NONE | — | N/A |
| Database | NONE | NONE | — | N/A |
9 findings
Medium External URL 外部 URL
https://www.whitehouse.gov/briefing-room/feed/ SKILL.md:29 Medium External URL 外部 URL
https://www.federalregister.gov/api/v1/documents.json SKILL.md:30 Medium External URL 外部 URL
https://www.scotusblog.com/feed/ SKILL.md:31 Medium External URL 外部 URL
https://www.reutersagency.com/feed/?best-topics=political-general&post_type=best scripts/fetch_trump_news.py:45 Medium External URL 外部 URL
https://feeds.apnews.com/rss/ap_top_news scripts/fetch_trump_news.py:52 Medium External URL 外部 URL
https://www.afp.com/en/actus/afp_communique/all/feed scripts/fetch_trump_news.py:59 Medium External URL 外部 URL
http://www.w3.org/2005/Atom scripts/fetch_trump_news.py:102 Medium External URL 外部 URL
https://www.federalregister.gov/api/v1/documents.json? scripts/fetch_trump_news.py:130 Medium External URL 外部 URL
https://truthsocial.com/@ scripts/fetch_truth_social.py:57 File Tree
6 files · 22.2 KB · 548 lines Python 2f · 355L
Markdown 2f · 173L
JSON 1f · 16L
Text 1f · 4L
├─
▾
config
│ └─
sources.json
JSON
├─
▾
scripts
│ ├─
fetch_trump_news.py
Python
│ └─
fetch_truth_social.py
Python
├─
README.md
Markdown
├─
requirements-optional.txt
Text
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
truthbrush | >=0.2.0 | pip | No | Optional dependency; only installed if Truth Social integration is desired |
requests | * | pip | No | Not directly used; script uses urllib from stdlib |
Security Positives
✓ All network requests are to legitimate, well-known news sources (Reuters, AP, AFP, White House, Federal Register, SCOTUSblog)
✓ No obfuscation techniques (base64, eval, atob) detected
✓ No attempts to access sensitive system paths (~/.ssh, ~/.aws, .env system files)
✓ No data exfiltration or C2 communication patterns
✓ No reverse shell or arbitrary command execution
✓ No credential theft beyond the explicitly-required Truth Social authentication
✓ Subprocess calls are to scripts within the same skill directory, not external arbitrary commands
✓ Error handling is present with try/except blocks and graceful fallbacks
✓ No typosquatting or supply chain risks detected in dependencies (truthbrush>=0.2.0 is a known package)