Scan Report
0 /100
news-to-markdown-skill
新闻文章转 Markdown 工具,支持双引擎提取、三层抓取策略和10平台专项优化
A legitimate news-to-markdown converter with single npm dependency, documented network fetching, and no malicious behavior detected.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md declares fetching HTML via curl/wget/Playwright; test.js fetches news.s… |
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md line 50: convert-url writes Markdown output to user-specified path; --o… |
| Shell | NONE | NONE | — | No shell execution in scripts/test.js or SKILL.md; curl/wget/Playwright are libr… |
| Environment | NONE | NONE | — | No os.environ iteration or env var access in any file |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | Playwright mentioned only as optional dependency for JS rendering, not accessed … |
| Database | NONE | NONE | — | No database access |
8 findings
Medium External URL 外部 URL
https://www.toutiao.com/article/123 SKILL.md:95 Medium External URL 外部 URL
https://news.sina.com.cn/... SKILL.md:502 Medium External URL 外部 URL
https://news.163.com/... SKILL.md:503 Medium External URL 外部 URL
https://tech.qq.com/... SKILL.md:504 Medium External URL 外部 URL
https://news.sina.com.cn/ scripts/test.js:13 Medium External URL 外部 URL
https://news.163.com/ scripts/test.js:18 Medium External URL 外部 URL
https://news.qq.com/ scripts/test.js:23 Info Email 邮箱地址
[email protected] SKILL.md:5 File Tree
5 files · 19.0 KB · 785 lines Markdown 2f · 693L
JavaScript 1f · 61L
JSON 2f · 31L
├─
▾
scripts
│ └─
test.js
JavaScript
├─
_meta.json
JSON
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
news-to-markdown | ^1.4.25 | npm | No | Semver range with caret — stable upstream; core library is open-source on GitHub |
Security Positives
✓ Single, pinned npm dependency (news-to-markdown@^1.4.25) — no transitive supply chain risk from loose wildcards
✓ All network access is explicitly documented: three-tier fetching (curl/wget/Playwright) for user-provided URLs only
✓ No credential, key, token, or environment variable access in any file
✓ No base64, eval, atob, or obfuscated code patterns
✓ No shell subprocess, reverse shell, or arbitrary command execution
✓ No sensitive file access (~/.ssh, ~/.aws, .env, etc.)
✓ No persistence mechanisms (cron, startup hooks, backdoors)
✓ No C2, data exfiltration, or external IP communication beyond documented URL fetching
✓ Output is limited to local Markdown file writes — no outbound data transfer of user data
✓ Copyright guidance in SKILL.md explicitly advises compliance with source site policies