扫描报告
10 /100
morning-brief
晨间简报 - 每天早上 8 点自动推送假期倒计时和时间进度提醒
Morning brief skill is a straightforward calendar utility with no malicious behavior; filesystem write is for caching and network access is for fetching holiday data as declared.
可以安装
No action required. Optionally pin axios to a specific version (e.g., ^1.6.8) for better dependency hygiene.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Dependencies not version pinned | package.json:18 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | WRITE | ✓ 一致 | main.js:17-18 - cache read/write is documented as part of functionality |
| 网络访问 | READ | READ | ✓ 一致 | main.js:14-16 - fetches holiday API from github source as documented |
1 项发现
中危 外部 URL 外部 URL
https://www.shuyz.com/githubfiles/china-holiday-calender/master/holidayAPI.json main.js:20 目录结构
5 文件 · 5.4 KB · 222 行 JavaScript 1f · 99L
Markdown 1f · 66L
JSON 3f · 57L
├─
clawhub.json
JSON
├─
main.js
JavaScript
├─
package.json
JSON
├─
skill.json
JSON
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
axios | ^1.6.0 | npm | 否 | Version range allows updates; recommend pinning to ^1.6.8+ for security fixes |
dayjs | ^1.11.0 | npm | 否 | Version range; low risk as this is a pure utility library |
安全亮点
✓ No shell execution or subprocess usage
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No credential harvesting or environment variable scanning
✓ No base64/eval/dynamic code execution patterns
✓ No remote script execution (curl|bash, wget|sh)
✓ Network access is declared and relevant to stated purpose
✓ Filesystem write is for local caching only within skill directory
✓ All external data source URLs are documented in SKILL.md
✓ No hidden functionality or undocumented behavior
✓ Clean, straightforward implementation with no obfuscation