中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
us-market-briefing
Generate production-ready US pre-market outlooks and post-market recaps in a fixed 3-section format
This is a straightforward US market briefing skill with no malicious indicators. All behavior is well-documented in SKILL.md, including web data collection, cron automation, and local file operations for budget tracking.
Skill Nameus-market-briefing
Duration31.1s
Enginepi
Safe to install
No action required. The skill is safe to use.

Findings 2 items

Severity Finding Location
Info
Allowed-tools not formally declared
SKILL.md uses web_search, web_fetch, and cron in documentation but doesn't include a formal allowed-tools section mapping these to resources. This is a minor documentation gap rather than a security concern.
Skills that use external tools should list them in an allowed-tools section
→ Add a formal allowed-tools declaration section for clarity
 SKILL.md:1
Info
No dependencies in Python script
scripts/is-us-market-holiday.py uses only Python standard library (json, sys, datetime, pathlib). No external packages required.
import json, sys, datetime, pathlib
→ No action needed
 scripts/is-us-market-holiday.py:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned SKILL.md line 82-102: memory/market-briefing-usage.json tracking with documented…
Network READ READ ✓ Aligned SKILL.md line 53-65: Source Collection Rules explicitly declares web_search and …
Shell NONE NONE No shell execution found; python3 is called only via subprocess by OpenClab runt…
Environment NONE NONE No environment variable access observed
Skill Invoke READ READ ✓ Aligned SKILL.md line 25-33: cron automation via OpenClab

File Tree

5 files · 9.8 KB · 300 lines
Markdown 3f · 255L Python 1f · 40L JSON 1f · 5L
├─ 📁 references
│ ├─ 📝 templates.md Markdown 87L · 1.7 KB
│ └─ 📝 us-market-holidays-2026.md Markdown 25L · 748 B
├─ 📁 scripts
│ └─ 🐍 is-us-market-holiday.py Python 40L · 1.4 KB
├─ 📋 _meta.json JSON 5L · 137 B
└─ 📝 SKILL.md Markdown 143L · 5.9 KB

Security Positives

✓ No credential harvesting or sensitive path access (~/.ssh, ~/.aws, .env)
✓ No base64 encoded payloads or obfuscated code
✓ No remote script execution (curl|bash, wget|sh)
✓ No direct IP network requests or C2 indicators
✓ All file operations (memory/market-briefing-usage.json) are explicitly documented
✓ Cron automation explicitly restricts to OpenClab only, prohibits system crontab editing
✓ Source code is simple, readable, and performs stated function only
✓ No hidden functionality in HTML comments or documentation
✓ No exfiltration or data POST to external endpoints