Scan Report
0 /100
info-research-report
信息调研报告自动化工作流 — 一键完成:多源搜索 → 深度挖掘 → 政府风格 DOCX 报告生成 → 邮件发送
Skill performs legitimate information research report generation with fully declared subprocess usage, network calls, and third-party LLM data processing.
Safe to install
Approve for use. All functionality is documented and aligned with declared permissions. No malicious patterns detected.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | run.py: reads results.json, .env files |
| Filesystem | WRITE | WRITE | ✓ Aligned | run.py: generates DOCX report files in working directory |
| Network | READ | READ | ✓ Aligned | run.py: requests.post to MiniMax/OpenAI APIs, mcporter browseros fetch |
| Shell | WRITE | WRITE | ✓ Aligned | run.py: subprocess.run for mcporter and mail.py (documented external tools) |
| Environment | READ | READ | ✓ Aligned | run.py: reads MINIMAX_API_KEY, OPENAI_API_KEY, OPENCLAW_SKILLS_DIR (all declared… |
| Skill Invoke | ADMIN | ADMIN | ✓ Aligned | run.py: invokes email-mail-master skill for mail sending (declared in SKILL.md) |
| Clipboard | NONE | NONE | — | No clipboard usage found |
| Browser | READ | READ | ✓ Aligned | run.py: mcporter browseros calls for web page fetching (declared in SKILL.md) |
| Database | NONE | NONE | — | No database access found |
9 findings
Medium External URL 外部 URL
https://duckduckgo.com/html/?q=你的主题 README.md:30 Medium External URL 外部 URL
https://www.understandingwar.org/research/middle-east/iran-update-special-report-april-1-2026/ results.json:4 Medium External URL 外部 URL
https://www.aljazeera.com/news/liveblog/2026/4/2/iran-war-live-trump-to-address-nation-tehran-denies-seeking-ceasefire results.json:9 Medium External URL 外部 URL
https://www.cnn.com/2026/04/02/world/live-news/iran-war-us-trump-oil-intl-hnk results.json:14 Medium External URL 外部 URL
https://en.wikipedia.org/wiki/2026_Iran_war results.json:19 Medium External URL 外部 URL
https://www.nytimes.com/live/2026/04/02/world/iran-war-trump-news results.json:24 Medium External URL 外部 URL
https://duckduckgo.com/html/?q= run.py:57 Medium External URL 外部 URL
https://api.minimax.chat/v1/text/chatcompletion_v2 run.py:95 Info Email 邮箱地址
[email protected] SKILL.md:287 File Tree
5 files · 37.5 KB · 1048 lines Python 1f · 646L
Markdown 2f · 368L
JSON 2f · 34L
├─
package.json
JSON
├─
README.md
Markdown
├─
results.json
JSON
├─
run.py
Python
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
python-docx | * | pip | No | Standard package for DOCX generation |
requests | * | pip | No | Standard HTTP library for LLM API calls |
Security Positives
✓ All subprocess usage (mcporter, mail.py) is explicitly documented in SKILL.md
✓ API keys (MINIMAX_API_KEY, OPENAI_API_KEY) are declared as optional and properly scoped
✓ Third-party LLM data transmission is declared with warnings in SKILL.md
✓ No base64 encoding, obfuscation, or anti-analysis patterns present
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env beyond its own)
✓ No credential exfiltration — API keys are used only for their declared LLM purpose
✓ File write operations are scoped to the working directory (DOCX report output)
✓ subprocess calls are limited to two known external tools (mcporter, mail.py)
✓ No remote code execution, reverse shell, or C2 communication patterns
✓ No supply chain risks — dependencies (python-docx, requests) are standard, pinned in SKILL.md