中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
finresearchclaw
Finance, accounting, and investment research automation via the FinResearchClaw repo
Legitimate finance research automation skill that safely clones a public GitHub repo and runs documented research workflows with no hidden functionality.
技能名称finresearchclaw
分析耗时22.4s
引擎pi
可以安装
No action needed. The skill is safe for use.

安全发现 1 项

严重性 安全发现 位置
低危
allowedTools not explicitly declared in SKILL.md 文档欺骗
SKILL.md does not enumerate allowed tools (bash, git, pip). However, all shell usage is fully documented and scoped to the feature.
No allowedTools section present
→ Add an explicit allowedTools declaration to improve transparency.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 SKILL.md references writing to ~/.openclaw/workspace/
网络访问 NONE READ ✓ 一致 install_or_update.sh clones from github.com
命令执行 NONE WRITE ✓ 一致 run_finance_example.sh executes pip install and researchclaw

目录结构

6 文件 · 5.5 KB · 178 行
Markdown 2f · 112L Shell 3f · 61L JSON 1f · 5L
├─ 📁 references
│ └─ 📝 examples.md Markdown 53L · 1.5 KB
├─ 📁 scripts
│ ├─ 🔧 choose_runner.sh Shell 16L · 241 B
│ ├─ 🔧 install_or_update.sh Shell 21L · 733 B
│ └─ 🔧 run_finance_example.sh Shell 24L · 600 B
├─ 📋 _meta.json JSON 5L · 134 B
└─ 📝 SKILL.md Markdown 59L · 2.4 KB

安全亮点

✓ All shell operations are fully documented in SKILL.md helper scripts section
✓ No credential access attempted (no ~/.ssh, ~/.aws, .env reads)
✓ No base64, obfuscation, or eval patterns found
✓ No external IP connections beyond github.com
✓ No data exfiltration or C2 indicators
✓ Repo operations limited to a single well-known GitHub source
✓ pip install uses editable mode (-e) from a pinned local path only
✓ No cron, persistence, or backdoor mechanisms
✓ Scripts use set -euo pipefail for safe execution
✓ No high-risk indicators (reverse shell, credential harvesting, curl|bash)