metal-price Security Report — Trusted | ClawSafe

5 /100

metal-price

Daily non-ferrous metals briefing — 从 Yahoo Finance/CCMN/SMM/Westmetall 等公开源采集有色金属价格，生成六板块投研日报推送到 Telegram

有色金属价格追踪与日报生成工具，功能声明与实现完全一致，无恶意行为。

Skill Namemetal-price

Duration40.6s

Enginepi

✓

Safe to install

可直接使用

Findings 3 items

Severity	Finding	Location
Low	测试文件中存在硬编码 IP 占位符 scripts/test-sources.mjs:47 包含 IP 122.0.0.0 占位符，但仅在测试代码中用于数据源测试，未被任何生产脚本调用或实际使用。 `122.0.0.0` → 测试文件无需发布到生产环境，建议从打包中排除或移除占位符 IP	`scripts/test-sources.mjs:47`
Low	未在 SKILL.md 中声明 execFile 调用子脚本 daily-report.mjs 使用 execFile 间接执行子脚本 fetch-all-data.mjs，虽然是合法功能但未在文档中明确说明。 `await execFileAsync(process.execPath, [scriptPath], { timeout: 60000, maxBuffer: 4 * 1024 * 1024 })` → 在文档中补充说明调用结构	`scripts/daily-report.mjs:44`
Info	GitHub 链接指向外部仓库 SKILL.md 包含 GitHub 仓库链接 https://github.com/RAMBOXIE/metal-price，外部仓库内容未纳入分析范围。 `git clone https://github.com/RAMBOXIE/metal-price.git` → 确认外部仓库版本与当前技能一致	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Network	`WRITE`	`WRITE`	✓ Aligned	SKILL.md 声明网络请求，fetch-all-data.mjs 访问 Yahoo/CCMN/SMM/Westmetall 等公开金融数据源
Filesystem	`READ`	`READ`	✓ Aligned	daily-report.mjs:21 读取 .env 获取 TELEGRAM_BOT_TOKEN，仅用于 Telegram 消息发送
Shell	`NONE`	`READ`	✓ Aligned	daily-report.mjs:44 使用 execFile 执行子脚本，无外部命令注入风险
Environment	`NONE`	`READ`	✓ Aligned	daily-report.mjs:21-37 读取 .env 中的 TELEGRAM 配置，值用于本工具内部

1 High 65 findings

📡

High IP Address 硬编码 IP 地址

122.0.0.0

scripts/test-sources.mjs:47

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot$

scripts/daily-report.mjs:514

🔗

Medium External URL 外部 URL

https://m.ccmn.cn/mhangqing/getCorpStmarketPriceList?marketVmid=40288092327140f601327141c0560001

scripts/fetch-all-data.mjs:28

🔗

Medium External URL 外部 URL

https://m.ccmn.cn/mhangqing/mcjxh/

scripts/fetch-all-data.mjs:32

🔗

Medium External URL 外部 URL

http://app.ometal.cn/data/mlist.asp

scripts/fetch-all-data.mjs:83

🔗

Medium External URL 外部 URL

http://app.ometal.cn/

scripts/fetch-all-data.mjs:94

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/$

scripts/fetch-all-data.mjs:163

🔗

Medium External URL 外部 URL

https://hq.smm.cn/h5/bismuth-price

scripts/fetch-all-data.mjs:254

🔗

Medium External URL 外部 URL

https://www.smm.cn/

scripts/fetch-all-data.mjs:266

🔗

Medium External URL 外部 URL

https://hq.smm.cn/h5/$

scripts/fetch-all-data.mjs:361

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php?action=table&field=LME_XX_stock

scripts/fetch-all-data.mjs:470

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php?action=table&field=$

scripts/fetch-all-data.mjs:490

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php

scripts/fetch-all-data.mjs:496

🔗

Medium External URL 外部 URL

https://www.lme.com/Market-Data/Reports-and-data/Warehouse-Stock-Statistics

scripts/fetch-all-data.mjs:598

🔗

Medium External URL 外部 URL

https://api.investing.com/api/financialdata/assets/equitiesByType?country=&type=metals&page=0&pageSize=20

scripts/fetch-all-data.mjs:638

🔗

Medium External URL 外部 URL

https://news.google.com/rss/search?q=%E6%9C%89%E8%89%B2%E9%87%91%E5%B1%9E+%E4%BB%B7%E6%A0%BC&hl=zh-CN&gl=CN&ceid=CN:zh-H...

scripts/fetch-all-data.mjs:692

🔗

Medium External URL 外部 URL

https://news.google.com/rss/search?q=$

scripts/fetch-all-data.mjs:730

🔗

Medium External URL 外部 URL

https://www.reddit.com/r/Commodities/top.json?t=week&limit=25

scripts/fetch-all-data.mjs:842

🔗

Medium External URL 外部 URL

https://www.reddit.com/r/Commodities/hot.json?limit=25

scripts/fetch-all-data.mjs:846

🔗

Medium External URL 外部 URL

https://reddit.com$

scripts/fetch-all-data.mjs:861

🔗

Medium External URL 外部 URL

https://tradingeconomics.com/commodity/cobalt

scripts/fetch-all-data.mjs:942

🔗

Medium External URL 外部 URL

https://www.dailymetalprice.com/metalpricecharts.php?c=co&u=usd&d=5

scripts/fetch-all-data.mjs:984

🔗

Medium External URL 外部 URL

https://www.dailymetalprice.com/

scripts/fetch-all-data.mjs:988

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/USDCNY=X?interval=1d&range=2d

scripts/fetch-all-data.mjs:1019

🔗

Medium External URL 外部 URL

https://feeds.reuters.com/reuters/UKBusinessNews

scripts/fetch-news.mjs:94

🔗

Medium External URL 外部 URL

https://finance.yahoo.com/rss/topstories

scripts/fetch-news.mjs:99

🔗

Medium External URL 外部 URL

https://stooq.com/q/l/?s=$

scripts/fetch-prices.mjs:92

🔗

Medium External URL 外部 URL

https://www.shfe.com.cn/data/dailydata/WarehouseReceipt20260317.dat

scripts/test-sources.mjs:5

🔗

Medium External URL 外部 URL

https://www.shfe.com.cn/data/dailydata/wr/wr20260317.dat

scripts/test-sources.mjs:6

🔗

Medium External URL 外部 URL

https://datacenter.shfe.com.cn/statement/datatype/WareHouseReceipt//otc

scripts/test-sources.mjs:7

🔗

Medium External URL 外部 URL

https://www.shfe.com.cn/

scripts/test-sources.mjs:12

🔗

Medium External URL 外部 URL

https://www.macrotrends.net/assets/php/fund_and_commodity_chart_data_download.php?t=HG00&type=price

scripts/test-sources.mjs:22

🔗

Medium External URL 外部 URL

https://www.macrotrends.net/

scripts/test-sources.mjs:23

🔗

Medium External URL 外部 URL

https://hq.smm.cn/h5/

scripts/test-sources.mjs:33

🔗

Medium External URL 外部 URL

https://www.lme.com/api/Reports/WarehouseStockByMetalReportDownload?fileName=&isInternal=false

scripts/test-sources.mjs:45

🔗

Medium External URL 外部 URL

https://api.worldbank.org/v2/en/indicator/PCOPP.USD?downloadformat=json&mrv=5

scripts/test-sources.mjs:72

🔗

Medium External URL 外部 URL

https://rong360.jin10.com/api/flash_newest?category=0&channel=-1&vip=0

scripts/test-sources2.mjs:6

🔗

Medium External URL 外部 URL

https://flash-api.jin10.com/get_flash_by_category?category=15&count=20&vip=0

scripts/test-sources2.mjs:7

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/reportType/dc_lme_inventory

scripts/test-sources2.mjs:8

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/reportType/dc_copper_inventory

scripts/test-sources2.mjs:9

🔗

Medium External URL 外部 URL

https://www.jin10.com/

scripts/test-sources2.mjs:14

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTU_LME_INVENTORY&columns=ALL&pageSize=10&sortColum...

scripts/test-sources2.mjs:27

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTU_METAL_INVENTORY&columns=ALL&pageSize=10

scripts/test-sources2.mjs:28

🔗

Medium External URL 外部 URL

https://data.eastmoney.com/

scripts/test-sources2.mjs:33

🔗

Medium External URL 外部 URL

https://d.10jqka.com.cn/v2/future/hs_lme_inventory/block/json

scripts/test-sources2.mjs:46

🔗

Medium External URL 外部 URL

https://data.10jqka.com.cn/futures/lme_inventory/

scripts/test-sources2.mjs:47

🔗

Medium External URL 外部 URL

https://d.10jqka.com.cn/v2/report/hs_lme_copper/json

scripts/test-sources2.mjs:48

🔗

Medium External URL 外部 URL

https://www.10jqka.com.cn/

scripts/test-sources2.mjs:53

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/CmeWS/mvc/Settlements/futures/options/tradeDate/20260314/productCode/HG/type/ALL/code/ALL

scripts/test-sources2.mjs:66

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/CmeWS/mvc/Volume/getCombinedVolumeDownloadDetails/tradeDate/20260314/asset/copper.csv

scripts/test-sources2.mjs:67

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/CmeWS/mvc/Warehouse/getCopperWarehouseStocks.json

scripts/test-sources2.mjs:68

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/market-data/reports/warehouse-stock-reports.html

scripts/test-sources2.mjs:69

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php?action=table&field=LME_Cu_cash

scripts/test-sources2.mjs:87

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/v2/lme/inventory/latest

scripts/test-sources3.mjs:33

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/v3/lme/inventory

scripts/test-sources3.mjs:34

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/

scripts/test-sources3.mjs:41

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_LME_INVENTORY&columns=ALL&pageSize=5

scripts/test-sources3.mjs:60

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTURES_LME_INVENTORY&columns=ALL&pageSize=5

scripts/test-sources3.mjs:61

🔗

Medium External URL 外部 URL

https://futurold.eastmoney.com/web/api/lme/inventory?page=1&pagesize=5

scripts/test-sources3.mjs:62

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTU_POSITIONS&columns=ALL&pageSize=5&sortColumns=DA...

scripts/test-sources3.mjs:64

🔗

Medium External URL 外部 URL

https://data.eastmoney.com/futures/

scripts/test-sources3.mjs:69

🔗

Medium External URL 外部 URL

https://www.lme.com/api/Graphs/LMEStockData

scripts/test-sources3.mjs:83

🔗

Medium External URL 外部 URL

https://api.lme.com/warehouse/stock

scripts/test-sources3.mjs:84

🔗

Medium External URL 外部 URL

https://www.lme.com/en-GB/Trading/Physical-market/Warehousing/LME-stocks

scripts/test-sources3.mjs:85

🔗

Medium External URL 外部 URL

https://www.lme.com/

scripts/test-sources3.mjs:93

File Tree

13 files · 124.6 KB · 3090 lines

JavaScript 9f · 2813L Markdown 2f · 262L JSON 2f · 15L

├─ ▾ 📁 scripts

│ ├─ 📜 daily-report.mjs JavaScript 561L · 23.9 KB

│ ├─ 📜 fetch-all-data.mjs JavaScript 1368L · 56.8 KB

│ ├─ 📜 fetch-news.mjs JavaScript 140L · 5.2 KB

│ ├─ 📜 fetch-prices.mjs JavaScript 273L · 8.6 KB

│ ├─ 📜 send-telegram.mjs JavaScript 111L · 2.9 KB

│ ├─ 📜 test-sources.mjs JavaScript 82L · 3.4 KB

│ ├─ 📜 test-sources2.mjs JavaScript 99L · 4.7 KB

│ ├─ 📜 test-sources3.mjs JavaScript 108L · 4.8 KB

│ └─ 📜 test-westmetall.mjs JavaScript 71L · 2.7 KB

├─ 📋 _meta.json JSON 5L · 135 B

├─ 📋 package.json JSON 10L · 225 B

├─ 📝 README.md Markdown 152L · 6.4 KB

└─ 📝 SKILL.md Markdown 110L · 4.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`无外部依赖`	`N/A`	package.json	No	仅使用 Node.js 内置模块（fs, path, child_process, util, readline, fetch）

Security Positives

✓ 所有网络请求均指向公开金融数据源（Yahoo Finance, CCMN, SMM, Westmetall, TradingEconomics），无隐蔽外部连接

✓ Telegram Bot Token 仅用于向指定 chat_id 发送消息，无凭证外泄

✓ 无 shell 命令注入风险，execFile 仅调用 Node.js 自身执行脚本

✓ 无敏感文件访问，不涉及 ~/.ssh、~/.aws、.env 以外的系统路径

✓ 无 base64/eval/解码管道等混淆技术

✓ 代码结构清晰，注释完整，每个函数功能明确

✓ 数据源覆盖全面，包含价格、库存、新闻、情绪等多维度数据

✓ 功能声明与实现完全一致，无影子功能

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives