扫描报告
15 /100
news-trust-check
Verify suspicious news, announcements, screenshots, and viral claims using a high-trust source pool
A benign news credibility checker skill that uses keyword-based risk scoring with no network access, credential exposure, or malicious functionality detected.
可以安装
Declare allowed-tools and script execution in SKILL.md to eliminate documentation gaps. Otherwise safe to use.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | No allowed-tools declaration 文档欺骗 | SKILL.md:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | READ | ✓ 一致 | Script reads no files; SKILL.md references sources by name only |
| 网络访问 | NONE | NONE | — | No HTTP requests, DNS lookups, or external calls in assess_claim.py |
| 命令执行 | NONE | NONE | — | assess_claim.py is pure Python with no subprocess; no shell commands in SKILL.md… |
目录结构
3 文件 · 3.8 KB · 146 行 Markdown 2f · 109L
Python 1f · 37L
├─
▾
references
│ └─
high-trust-sources.md
Markdown
├─
▾
scripts
│ └─
assess_claim.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ No network access or data exfiltration — assess_claim.py performs only in-memory string matching
✓ No credential access or harvesting — script contains no os.environ, config files, or key lookups
✓ No obfuscation — code is plain Python with readable logic and no base64, eval, or dynamic exec
✓ No remote code execution — no curl|bash, wget|sh, or subprocess calls
✓ No supply chain risk — assess_claim.py has zero third-party imports (only argparse, json, sys from stdlib)
✓ Risk scoring logic is deterministic, auditable, and clearly documented with Chinese fraud-related keywords
✓ Skill purpose (news trust verification) is clearly stated and matches implementation