turkish-locale Security Report — Low Risk | ClawSafe

20 /100

turkish-locale

Turkish locale skill pack for Hermes Agent — Turkish news, BIST100 stock tracking, daily brief automation

Legitimate Turkish locale hackathon project with minor documentation discrepancies but no malicious behavior detected.

Skill Nameturkish-locale

Duration58.9s

Enginepi

✓

Safe to install

Consider adding explicit network and filesystem declarations in SKILL.md to align with actual usage. Pin dependency versions for reproducibility.

Findings 3 items

Severity	Finding	Location
Low	Dependency documentation mismatch Doc Mismatch SKILL.md states 'Dependencies: curl, python3 (stdlib only — no pip packages required)' but actual scripts require 'requests' and 'Pillow' packages. `Dependencies: curl, python3 (stdlib only — no pip packages required)` → Update documentation to list actual pip dependencies: requests, Pillow	`SKILL.md:130`
Low	Undeclared network API usage Doc Mismatch Scripts use network to access CoinGecko API, Telegram Bot API, and Turkish news RSS feeds without explicit network permissions declared. `requests.get(COINGECKO_MARKETS_API, params=params, headers=headers, timeout=15)` → Document network access to api.coingecko.com, api.telegram.org, and RSS feed domains	`scripts/bist100_prices.py:104`
Low	Unpinned package versions Supply Chain Dependencies use unpinned versions (requests, Pillow) which could introduce supply chain risk over time. `import requests` → Pin versions in requirements file: requests>=2.28.0, Pillow>=9.0.0	`scripts/bist100_prices.py:24`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	turkish_brief_card.py writes PNG files to output path
Network	`NONE`	`READ`	✓ Aligned	bist100_prices.py fetches CoinGecko API; telegram_send.py calls Telegram API
Shell	`NONE`	`READ`	✓ Aligned	SKILL.md references terminal() for curl-based RSS fetching
Environment	`NONE`	`READ`	✓ Aligned	telegram_send.py reads TELEGRAM_BOT_TOKEN and TELEGRAM_HOME_CHANNEL

43 findings

🔗

Medium External URL 外部 URL

https://www.bloomberght.com/borsa/endeksler/bist-100

bist100/SKILL.md:100

🔗

Medium External URL 外部 URL

https://www.bloomberght.com/borsa/hisseler/THYAO

bist100/SKILL.md:104

🔗

Medium External URL 外部 URL

https://www.bloomberght.com/doviz

bist100/SKILL.md:108

🔗

Medium External URL 外部 URL

https://www.bloomberght.com/altin

bist100/SKILL.md:112

🔗

Medium External URL 外部 URL

https://bigpara.hurriyet.com.tr/borsa/canli-borsa/

bist100/SKILL.md:120

🔗

Medium External URL 外部 URL

https://bigpara.hurriyet.com.tr/doviz/

bist100/SKILL.md:123

🔗

Medium External URL 外部 URL

https://bigpara.hurriyet.com.tr/altin/

bist100/SKILL.md:126

🔗

Medium External URL 外部 URL

https://tr.investing.com/indices/ise-100

bist100/SKILL.md:133

🔗

Medium External URL 外部 URL

https://tr.investing.com/

bist100/SKILL.md:136

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/XU100.IS?interval=1d&range=1d

bist100/SKILL.md:145

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/THYAO.IS?interval=1d&range=1d

bist100/SKILL.md:148

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/USDTRY=X?interval=1d&range=1d

bist100/SKILL.md:151

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/EURTRY=X?interval=1d&range=1d

bist100/SKILL.md:154

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/GC=F?interval=1d&range=1d

bist100/SKILL.md:157

🔗

Medium External URL 外部 URL

https://www.tcmb.gov.tr/kurlar/today.xml

bist100/SKILL.md:379

🔗

Medium External URL 外部 URL

https://api.coingecko.com/api/v3/coins/markets

scripts/bist100_prices.py:104

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot

scripts/telegram_send.py:41

🔗

Medium External URL 外部 URL

https://www.hurriyet.com.tr/rss/anasayfa

turkish-daily-brief/SKILL.md:161

🔗

Medium External URL 外部 URL

https://www.ntv.com.tr/son-dakika.rss

turkish-daily-brief/SKILL.md:162

🔗

Medium External URL 外部 URL

https://www.bloomberght.com/rss

turkish-daily-brief/SKILL.md:163

🔗

Medium External URL 外部 URL

https://www.hurriyet.com.tr/rss/gundem

turkish-news/SKILL.md:38

🔗

Medium External URL 外部 URL

https://www.hurriyet.com.tr/rss/ekonomi

turkish-news/SKILL.md:39

🔗

Medium External URL 外部 URL

https://www.hurriyet.com.tr/rss/dunya

turkish-news/SKILL.md:40

🔗

Medium External URL 外部 URL

https://www.hurriyet.com.tr/rss/teknoloji

turkish-news/SKILL.md:41

🔗

Medium External URL 外部 URL

https://www.hurriyet.com.tr/rss/spor

turkish-news/SKILL.md:42

🔗

Medium External URL 外部 URL

https://www.sabah.com.tr/rss/anasayfa.xml

turkish-news/SKILL.md:47

🔗

Medium External URL 外部 URL

https://www.sabah.com.tr/rss/gundem.xml

turkish-news/SKILL.md:48

🔗

Medium External URL 外部 URL

https://www.sabah.com.tr/rss/ekonomi.xml

turkish-news/SKILL.md:49

🔗

Medium External URL 外部 URL

https://www.sabah.com.tr/rss/dunya.xml

turkish-news/SKILL.md:50

🔗

Medium External URL 外部 URL

https://www.sabah.com.tr/rss/teknoloji.xml

turkish-news/SKILL.md:51

🔗

Medium External URL 外部 URL

https://www.bloomberght.com/rss/piyasa

turkish-news/SKILL.md:57

🔗

Medium External URL 外部 URL

https://www.bloomberght.com/rss/haberler

turkish-news/SKILL.md:58

🔗

Medium External URL 外部 URL

https://tr.cointelegraph.com/rss

turkish-news/SKILL.md:63

🔗

Medium External URL 外部 URL

https://www.ntv.com.tr/turkiye.rss

turkish-news/SKILL.md:69

🔗

Medium External URL 外部 URL

https://www.ntv.com.tr/ekonomi.rss

turkish-news/SKILL.md:70

🔗

Medium External URL 外部 URL

https://www.ntv.com.tr/dunya.rss

turkish-news/SKILL.md:71

🔗

Medium External URL 外部 URL

https://www.ntv.com.tr/teknoloji.rss

turkish-news/SKILL.md:72

🔗

Medium External URL 外部 URL

https://www.aa.com.tr/tr/rss/default?cat=guncel

turkish-news/SKILL.md:77

🔗

Medium External URL 外部 URL

https://www.aa.com.tr/tr/rss/default?cat=ekonomi

turkish-news/SKILL.md:78

🔗

Medium External URL 外部 URL

https://www.aa.com.tr/tr/rss/default?cat=dunya

turkish-news/SKILL.md:79

🔗

Medium External URL 外部 URL

https://www.aa.com.tr/tr/rss/default?cat=spor

turkish-news/SKILL.md:80

🔗

Medium External URL 外部 URL

https://www.trthaber.com/sondakika.rss

turkish-news/SKILL.md:87

🔗

Medium External URL 外部 URL

https://www.dunya.com/rss

turkish-news/SKILL.md:92

File Tree

7 files · 93.6 KB · 2722 lines

Python 3f · 1403L Markdown 4f · 1319L

├─ ▾ 📁 bist100

│ └─ 📝 SKILL.md Markdown 392L · 11.8 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 bist100_prices.py Python 516L · 16.8 KB

│ ├─ 🐍 telegram_send.py Python 377L · 13.2 KB

│ └─ 🐍 turkish_brief_card.py Python 510L · 20.6 KB

├─ ▾ 📁 turkish-daily-brief

│ └─ 📝 SKILL.md Markdown 429L · 14.6 KB

├─ ▾ 📁 turkish-news

│ └─ 📝 SKILL.md Markdown 298L · 9.3 KB

└─ 📝 SKILL.md Markdown 200L · 7.2 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip	No	Version not pinned; stdlib-only claim in docs is incorrect
`Pillow`	`unpinned`	pip	No	Version not pinned; used for PNG card generation

Security Positives

✓ No credential harvesting or exfiltration observed

✓ No obfuscation techniques (base64, eval, atob) detected

✓ No sensitive file access (~/.ssh, ~/.aws, .env files not accessed)

✓ No reverse shell, C2, or data theft behavior

✓ No hidden functionality beyond documented features

✓ Network requests go to legitimate, publicly known APIs

✓ Environment variables used only for documented Telegram integration

✓ All external URLs are legitimate Turkish news and finance sources

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives