Scan Report
0 /100
daily-investment-digest
Fetch financing event lists from the iYiou skill API and generate a daily financing report in Markdown to stdout.
A straightforward, well-documented investment event fetcher and Markdown report generator that makes read-only HTTP GET requests to a single external API and outputs structured data to stdout.
Safe to install
No action needed. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem writes; generate_report.mjs explicitly disables --output and is st… |
| Network | READ | READ | ✓ Aligned | Only HTTP GET to https://api.iyiou.com/skill/info with fixed User-Agent header |
| Shell | NONE | NONE | — | node scripts/ are invoked directly; no raw bash, no curl|bash, no subprocess she… |
| Environment | NONE | NONE | — | No os.environ iteration or credential access |
| Skill Invoke | READ | READ | ✓ Aligned | Defined in agents/openai.yaml interface |
| Clipboard | NONE | NONE | — | No clipboard access observed |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
2 findings
Medium External URL 外部 URL
https://api.iyiou.com/skill/info?page=...&pageSize=... SKILL.md:3 Medium External URL 外部 URL
https://api.iyiou.com/skill/info SKILL.md:10 File Tree
6 files · 31.9 KB · 1067 lines JavaScript 3f · 901L
Markdown 2f · 159L
YAML 1f · 7L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
references
│ └─
field_mapping.md
Markdown
├─
▾
scripts
│ ├─
fetch_events.mjs
JavaScript
│ ├─
generate_report.mjs
JavaScript
│ └─
run_full_report.mjs
JavaScript
└─
SKILL.md
Markdown
Security Positives
✓ SKILL.md is thorough, declaring all scripts, parameters, output policies, and failure handling in detail
✓ Output is explicitly disabled; all scripts write only to stdout — no file artifacts created
✓ All numeric arguments are clamped to safe bounds (e.g., pageSize[1,100], maxPage[1,500], topN[0,500])
✓ Network activity is strictly bounded: single hardcoded HTTPS endpoint, no dynamic URLs
✓ Retry logic with progressive backoff is implemented; page-level errors are captured in JSON meta
✓ Date filtering defaults to yesterday with explicit opt-in for today — prevents accidental real-time data exposure
✓ run_full_report.mjs uses spawn with explicit process.execPath and argument arrays (no shell:true, no string injection risk)
✓ No credential access, no sensitive file paths touched (~/.ssh, .env, etc.), no base64/obfuscation
✓ Field mapping and API schema are documented in references/field_mapping.md with explicit contract
✓ No external dependencies beyond Node.js built-ins (fetch, fs/promises, path, child_process)