扫描报告
15 /100
trump-news-daily
每日拉取特朗普相关新闻(来自官方与主流通讯社信息源),经 AI 翻译成中文、编辑后推送给用户
This is a legitimate Trump news aggregation skill that fetches RSS feeds and official APIs; minor documentation gaps around credential access patterns do not constitute malicious behavior.
可以安装
Approve for use with standard precautions. Consider explicitly documenting environment variable access for Truth Social credentials in SKILL.md for full transparency.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Truth Social credential environment variables not explicitly declared in SKILL.md 文档欺骗 | scripts/fetch_truth_social.py:35 |
| 低危 | Subprocess execution not declared in SKILL.md 文档欺骗 | scripts/fetch_trump_news.py:112 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | config/sources.json read at startup, SKILL.md references config |
| 网络访问 | READ | READ | ✓ 一致 | urllib.urlopen() to RSS feeds and Federal Register API (lines 75-132) |
| 命令执行 | NONE | WRITE | ✓ 一致 | subprocess.run(sys.executable, ...) at fetch_trump_news.py:112 |
| 环境变量 | NONE | READ | ✓ 一致 | os.environ.get(TRUTHSOCIAL_*) at fetch_truth_social.py:35-37 |
| 技能调用 | NONE | NONE | — | N/A |
| 剪贴板 | NONE | NONE | — | N/A |
| 浏览器 | NONE | NONE | — | N/A |
| 数据库 | NONE | NONE | — | N/A |
9 项发现
中危 外部 URL 外部 URL
https://www.whitehouse.gov/briefing-room/feed/ SKILL.md:29 中危 外部 URL 外部 URL
https://www.federalregister.gov/api/v1/documents.json SKILL.md:30 中危 外部 URL 外部 URL
https://www.scotusblog.com/feed/ SKILL.md:31 中危 外部 URL 外部 URL
https://www.reutersagency.com/feed/?best-topics=political-general&post_type=best scripts/fetch_trump_news.py:45 中危 外部 URL 外部 URL
https://feeds.apnews.com/rss/ap_top_news scripts/fetch_trump_news.py:52 中危 外部 URL 外部 URL
https://www.afp.com/en/actus/afp_communique/all/feed scripts/fetch_trump_news.py:59 中危 外部 URL 外部 URL
http://www.w3.org/2005/Atom scripts/fetch_trump_news.py:102 中危 外部 URL 外部 URL
https://www.federalregister.gov/api/v1/documents.json? scripts/fetch_trump_news.py:130 中危 外部 URL 外部 URL
https://truthsocial.com/@ scripts/fetch_truth_social.py:57 目录结构
6 文件 · 22.2 KB · 548 行 Python 2f · 355L
Markdown 2f · 173L
JSON 1f · 16L
Text 1f · 4L
├─
▾
config
│ └─
sources.json
JSON
├─
▾
scripts
│ ├─
fetch_trump_news.py
Python
│ └─
fetch_truth_social.py
Python
├─
README.md
Markdown
├─
requirements-optional.txt
Text
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
truthbrush | >=0.2.0 | pip | 否 | Optional dependency; only installed if Truth Social integration is desired |
requests | * | pip | 否 | Not directly used; script uses urllib from stdlib |
安全亮点
✓ All network requests are to legitimate, well-known news sources (Reuters, AP, AFP, White House, Federal Register, SCOTUSblog)
✓ No obfuscation techniques (base64, eval, atob) detected
✓ No attempts to access sensitive system paths (~/.ssh, ~/.aws, .env system files)
✓ No data exfiltration or C2 communication patterns
✓ No reverse shell or arbitrary command execution
✓ No credential theft beyond the explicitly-required Truth Social authentication
✓ Subprocess calls are to scripts within the same skill directory, not external arbitrary commands
✓ Error handling is present with try/except blocks and graceful fallbacks
✓ No typosquatting or supply chain risks detected in dependencies (truthbrush>=0.2.0 is a known package)