中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
macro-news-signal
Macro News Signal is an intelligent market analysis skill that transforms real-time global news and key macro indicators into actionable investment insights.
This is a pure documentation-based market analysis skill with no executable code, scripts, or dangerous capabilities. The only concern is a hardcoded Chrome version string that was flagged as an IP address.
技能名称macro-news-signal
分析耗时39.9s
引擎pi
可以安装
This skill is safe to use. The only action item is to clarify that '146.0.0.0' in the User-Agent is a Chrome version number, not an IP address.

安全发现 2 项

严重性 安全发现 位置
提示
Chrome version misidentified as IP address 文档欺骗
The pre-scan flagged '146.0.0.0' as a hardcoded IP address at README.md:44. Upon review, this is actually 'Chrome/146.0.0.0' - a legitimate Chrome browser version number in a User-Agent string. This is a false positive.
Chrome/146.0.0.0 Safari/537.36
→ No action needed - this is not a security concern
 README.md:44
低危
No allowed-tools declaration 文档欺骗
SKILL.md does not declare any allowed-tools permissions in the frontmatter. This makes it unclear what tools the skill expects to use for network requests.
No allowed-tools field in frontmatter
→ Add allowed-tools declaration to clarify expected permissions (network:READ, browser:READ)
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file operations in documentation
网络访问 NONE READ ✓ 一致 references/news_apis.md documents RSS feeds and APIs
命令执行 NONE NONE No shell execution documented
环境变量 NONE NONE No environment variable access
技能调用 NONE NONE No skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE READ ✓ 一致 SKILL.md mentions agent-browser skill for dynamic access
数据库 NONE NONE No database access
1 高危 15 项发现
📡
高危 IP 地址 硬编码 IP 地址
146.0.0.0
README.md:44
🔗
中危 外部 URL 外部 URL
https://bbg.buzzing.cc/feed.json
references/news_apis.md:9
🔗
中危 外部 URL 外部 URL
https://feeds.bloomberg.com/markets/news.rss
references/news_apis.md:10
🔗
中危 外部 URL 外部 URL
https://www.cnbc.com/id/100003114/device/rss/rss.html
references/news_apis.md:11
🔗
中危 外部 URL 外部 URL
https://www.ft.com/rss/home
references/news_apis.md:12
🔗
中危 外部 URL 外部 URL
https://feeds.a.dj.com/rss/RSSMarketsMain.xml
references/news_apis.md:13
🔗
中危 外部 URL 外部 URL
https://www.economist.com/finance-and-economics/rss.xml
references/news_apis.md:14
🔗
中危 外部 URL 外部 URL
http://rss.spriple.org/zaobao/realtime/world
references/news_apis.md:15
🔗
中危 外部 URL 外部 URL
https://rss.spriple.org/10jqka/realtimenews
references/news_apis.md:16
🔗
中危 外部 URL 外部 URL
https://app.folo.is/share/feeds/70844804758158336
references/news_apis.md:19
🔗
中危 外部 URL 外部 URL
https://docs.rsshub.app/zh/guide/instances
references/news_apis.md:20
🔗
中危 外部 URL 外部 URL
https://www.federalreserve.gov/feeds/press_all.xml
references/news_apis.md:26
🔗
中危 外部 URL 外部 URL
https://www.bankofengland.co.uk/rss
references/news_apis.md:27
🔗
中危 外部 URL 外部 URL
https://quote.cnbc.com/quote-html-webservice/restQuote/symbolType/symbol?symbols=US10YTIP&requestMethod=itv&noform=1&par...
references/news_apis.md:33
🔗
中危 外部 URL 外部 URL
https://quote.cnbc.com/quote-html-webservice/restQuote/symbolType/symbol?symbols=.DXY&requestMethod=itv&noform=1&partner...
references/news_apis.md:34

目录结构

5 文件 · 17.4 KB · 392 行
Markdown 5f · 392L
├─ 📁 references
│ ├─ 📝 data_schema.md Markdown 102L · 4.8 KB
│ └─ 📝 news_apis.md Markdown 34L · 1.8 KB
├─ 📝 README_zh-CN.md Markdown 88L · 3.5 KB
├─ 📝 README.md Markdown 88L · 3.7 KB
└─ 📝 SKILL.md Markdown 80L · 3.7 KB

安全亮点

✓ No executable code or scripts - pure documentation skill
✓ No credential theft or sensitive data access
✓ No base64 encoding or obfuscation techniques
✓ No C2 communication or data exfiltration
✓ No reverse shell or remote code execution
✓ External network access limited to legitimate financial news sources (Bloomberg, CNBC, FT, Fed)
✓ References to agent-browser skill for dynamic web access are appropriate for news scraping use case
✓ Respects robots.txt as mentioned in documentation
✓ Uses proper curl headers with User-Agent for API requests