Scan Report
10 /100
morning-brief
晨间简报 - 每天早上 8 点自动推送假期倒计时和时间进度提醒
Morning brief skill is a straightforward calendar utility with no malicious behavior; filesystem write is for caching and network access is for fetching holiday data as declared.
Safe to install
No action required. Optionally pin axios to a specific version (e.g., ^1.6.8) for better dependency hygiene.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Dependencies not version pinned | package.json:18 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | WRITE | ✓ Aligned | main.js:17-18 - cache read/write is documented as part of functionality |
| Network | READ | READ | ✓ Aligned | main.js:14-16 - fetches holiday API from github source as documented |
1 findings
Medium External URL 外部 URL
https://www.shuyz.com/githubfiles/china-holiday-calender/master/holidayAPI.json main.js:20 File Tree
5 files · 5.4 KB · 222 lines JavaScript 1f · 99L
Markdown 1f · 66L
JSON 3f · 57L
├─
clawhub.json
JSON
├─
main.js
JavaScript
├─
package.json
JSON
├─
skill.json
JSON
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
axios | ^1.6.0 | npm | No | Version range allows updates; recommend pinning to ^1.6.8+ for security fixes |
dayjs | ^1.11.0 | npm | No | Version range; low risk as this is a pure utility library |
Security Positives
✓ No shell execution or subprocess usage
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No credential harvesting or environment variable scanning
✓ No base64/eval/dynamic code execution patterns
✓ No remote script execution (curl|bash, wget|sh)
✓ Network access is declared and relevant to stated purpose
✓ Filesystem write is for local caching only within skill directory
✓ All external data source URLs are documented in SKILL.md
✓ No hidden functionality or undocumented behavior
✓ Clean, straightforward implementation with no obfuscation