扫描报告
0 /100
news-to-markdown-skill
新闻文章转 Markdown 工具,支持双引擎提取、三层抓取策略和10平台专项优化
A legitimate news-to-markdown converter with single npm dependency, documented network fetching, and no malicious behavior detected.
可以安装
This skill is safe to use. No security concerns identified.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md declares fetching HTML via curl/wget/Playwright; test.js fetches news.s… |
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md line 50: convert-url writes Markdown output to user-specified path; --o… |
| 命令执行 | NONE | NONE | — | No shell execution in scripts/test.js or SKILL.md; curl/wget/Playwright are libr… |
| 环境变量 | NONE | NONE | — | No os.environ iteration or env var access in any file |
| 技能调用 | NONE | NONE | — | No cross-skill invocation found |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | Playwright mentioned only as optional dependency for JS rendering, not accessed … |
| 数据库 | NONE | NONE | — | No database access |
8 项发现
中危 外部 URL 外部 URL
https://www.toutiao.com/article/123 SKILL.md:95 中危 外部 URL 外部 URL
https://news.sina.com.cn/... SKILL.md:502 中危 外部 URL 外部 URL
https://news.163.com/... SKILL.md:503 中危 外部 URL 外部 URL
https://tech.qq.com/... SKILL.md:504 中危 外部 URL 外部 URL
https://news.sina.com.cn/ scripts/test.js:13 中危 外部 URL 外部 URL
https://news.163.com/ scripts/test.js:18 中危 外部 URL 外部 URL
https://news.qq.com/ scripts/test.js:23 提示 邮箱 邮箱地址
[email protected] SKILL.md:5 目录结构
5 文件 · 19.0 KB · 785 行 Markdown 2f · 693L
JavaScript 1f · 61L
JSON 2f · 31L
├─
▾
scripts
│ └─
test.js
JavaScript
├─
_meta.json
JSON
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
news-to-markdown | ^1.4.25 | npm | 否 | Semver range with caret — stable upstream; core library is open-source on GitHub |
安全亮点
✓ Single, pinned npm dependency (news-to-markdown@^1.4.25) — no transitive supply chain risk from loose wildcards
✓ All network access is explicitly documented: three-tier fetching (curl/wget/Playwright) for user-provided URLs only
✓ No credential, key, token, or environment variable access in any file
✓ No base64, eval, atob, or obfuscated code patterns
✓ No shell subprocess, reverse shell, or arbitrary command execution
✓ No sensitive file access (~/.ssh, ~/.aws, .env, etc.)
✓ No persistence mechanisms (cron, startup hooks, backdoors)
✓ No C2, data exfiltration, or external IP communication beyond documented URL fetching
✓ Output is limited to local Markdown file writes — no outbound data transfer of user data
✓ Copyright guidance in SKILL.md explicitly advises compliance with source site policies