中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 0/100
Last scan:1 day ago Rescan
0 /100
daily-poem
Daily Poem — 每日精选诗词推送,中英古典/现代诗交替,含译文赏析朗读节奏,支持按主题/作者按需查诗和周合辑
Daily Poem skill is a legitimate poetry delivery and query service using Node.js scripts as prompt generators with minimal filesystem access and no network/shell execution.
Skill Namedaily-poem
Duration28.3s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md:data/push-log.json; scripts read this file only
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares push-log.json writes; scripts use fs.readFileSync (read-only),…
Network NONE NONE No network requests in any script
Shell NONE NONE No shell execution, subprocess, or command invocation
Environment NONE NONE No env access found
Browser NONE NONE Not used

File Tree

8 files · 19.1 KB · 542 lines
JavaScript 4f · 391L Markdown 1f · 122L JSON 3f · 29L
├─ 📁 data
│ └─ 📋 push-log.json JSON 1L · 3 B
├─ 📁 scripts
│ ├─ 📜 morning-push.js JavaScript 130L · 5.0 KB
│ ├─ 📜 push-toggle.js JavaScript 67L · 1.7 KB
│ ├─ 📜 query.js JavaScript 103L · 3.6 KB
│ └─ 📜 weekly-digest.js JavaScript 91L · 3.5 KB
├─ 📋 _meta.json JSON 6L · 121 B
├─ 📋 package.json JSON 22L · 931 B
└─ 📝 SKILL.md Markdown 122L · 4.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
none N/A npm No No external dependencies — only built-in Node.js modules (fs, path, process)

Security Positives

✓ SKILL.md documentation accurately describes all script functionality with no mismatches
✓ Scripts are simple prompt generators outputting to console only — no side effects
✓ query.js implements input sanitization (removes <>&"';&|`$ characters)
✓ No external dependencies — uses only built-in Node.js modules (fs, path, process)
✓ Filesystem access is minimal: only reads/writes push-log.json within skill directory
✓ No credential access, sensitive path access, or environment variable reading
✓ No network requests, IP connections, or data exfiltration
✓ No obfuscation, base64-encoded strings, or anti-analysis techniques
✓ Cron management is documented as openclaw CLI commands, not raw shell scripts
✓ push-toggle.js only prints instructions without executing system commands