daily-investment-digest 安全扫描报告 — 可信 | ClawSafe

0 /100

daily-investment-digest

Fetch financing event lists from the iYiou skill API and generate a daily financing report in Markdown to stdout.

A straightforward, well-documented investment event fetcher and Markdown report generator that makes read-only HTTP GET requests to a single external API and outputs structured data to stdout.

技能名称daily-investment-digest

分析耗时25.4s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem writes; generate_report.mjs explicitly disables --output and is st…
网络访问	`READ`	`READ`	✓ 一致	Only HTTP GET to https://api.iyiou.com/skill/info with fixed User-Agent header
命令执行	`NONE`	`NONE`	—	node scripts/ are invoked directly; no raw bash, no curl\|bash, no subprocess she…
环境变量	`NONE`	`NONE`	—	No os.environ iteration or credential access
技能调用	`READ`	`READ`	✓ 一致	Defined in agents/openai.yaml interface
剪贴板	`NONE`	`NONE`	—	No clipboard access observed
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://api.iyiou.com/skill/info?page=...&pageSize=...

SKILL.md:3

🔗

中危外部 URL 外部 URL

https://api.iyiou.com/skill/info

SKILL.md:10

目录结构

6 文件 · 31.9 KB · 1067 行

JavaScript 3f · 901L Markdown 2f · 159L YAML 1f · 7L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 7L · 525 B

├─ ▾ 📁 references

│ └─ 📝 field_mapping.md Markdown 32L · 920 B

├─ ▾ 📁 scripts

│ ├─ 📜 fetch_events.mjs JavaScript 386L · 10.8 KB

│ ├─ 📜 generate_report.mjs JavaScript 350L · 11.1 KB

│ └─ 📜 run_full_report.mjs JavaScript 165L · 4.1 KB

└─ 📝 SKILL.md Markdown 127L · 4.4 KB

安全亮点

✓ SKILL.md is thorough, declaring all scripts, parameters, output policies, and failure handling in detail

✓ Output is explicitly disabled; all scripts write only to stdout — no file artifacts created

✓ All numeric arguments are clamped to safe bounds (e.g., pageSize[1,100], maxPage[1,500], topN[0,500])

✓ Network activity is strictly bounded: single hardcoded HTTPS endpoint, no dynamic URLs

✓ Retry logic with progressive backoff is implemented; page-level errors are captured in JSON meta

✓ Date filtering defaults to yesterday with explicit opt-in for today — prevents accidental real-time data exposure

✓ run_full_report.mjs uses spawn with explicit process.execPath and argument arrays (no shell:true, no string injection risk)

✓ No credential access, no sensitive file paths touched (~/.ssh, .env, etc.), no base64/obfuscation

✓ Field mapping and API schema are documented in references/field_mapping.md with explicit contract

✓ No external dependencies beyond Node.js built-ins (fetch, fs/promises, path, child_process)