Scan Report
0 /100
career-news
针对不同职业每日推送全球精选行业新闻
Legitimate career news aggregation skill that generates AI agent prompts. All capabilities are documented, file operations are scoped to a single data directory, and no malicious patterns were found.
Safe to install
No action required. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | register.js:47 writes to data/users/<userId>.json; morning-push.js:44 reads data… |
| Network | NONE | NONE | — | No network calls in any script |
| Shell | NONE | NONE | — | No subprocess or shell execution |
| Environment | NONE | NONE | — | No os.environ access |
| Skill Invoke | NONE | NONE | — | No skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
File Tree
7 files · 31.6 KB · 697 lines JavaScript 4f · 572L
Markdown 1f · 104L
JSON 2f · 21L
├─
▾
scripts
│ ├─
morning-push.js
JavaScript
│ ├─
news-query.js
JavaScript
│ ├─
push-toggle.js
JavaScript
│ └─
register.js
JavaScript
├─
_meta.json
JSON
├─
package.json
JSON
└─
SKILL.md
Markdown
Security Positives
✓ All capabilities declared and match implementation
✓ User input sanitized with strict regex: replace(/[^a-zA-Z0-9_-]/g, '')
✓ File operations scoped exclusively to data/users/ directory
✓ No external network requests or credential access
✓ No obfuscation, eval(), or base64-encoded payloads
✓ Uses only Node.js standard libraries (fs, path)
✓ Prompts are text output to stdout for AI agents, not code execution
✓ Documentation accurately describes all functionality
✓ No sensitive paths accessed (~/.ssh, ~/.aws, .env)
✓ No supply chain risks - no external dependencies beyond Node.js stdlib