info-research-report 安全扫描报告 — 可信 | ClawSafe

0 /100

info-research-report

信息调研报告自动化工作流 — 一键完成：多源搜索 → 深度挖掘 → 政府风格 DOCX 报告生成 → 邮件发送

Skill performs legitimate information research report generation with fully declared subprocess usage, network calls, and third-party LLM data processing.

技能名称info-research-report

分析耗时29.7s

引擎pi

✓

可以安装

Approve for use. All functionality is documented and aligned with declared permissions. No malicious patterns detected.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	run.py: reads results.json, .env files
文件系统	`WRITE`	`WRITE`	✓ 一致	run.py: generates DOCX report files in working directory
网络访问	`READ`	`READ`	✓ 一致	run.py: requests.post to MiniMax/OpenAI APIs, mcporter browseros fetch
命令执行	`WRITE`	`WRITE`	✓ 一致	run.py: subprocess.run for mcporter and mail.py (documented external tools)
环境变量	`READ`	`READ`	✓ 一致	run.py: reads MINIMAX_API_KEY, OPENAI_API_KEY, OPENCLAW_SKILLS_DIR (all declared…
技能调用	`ADMIN`	`ADMIN`	✓ 一致	run.py: invokes email-mail-master skill for mail sending (declared in SKILL.md)
剪贴板	`NONE`	`NONE`	—	No clipboard usage found
浏览器	`READ`	`READ`	✓ 一致	run.py: mcporter browseros calls for web page fetching (declared in SKILL.md)
数据库	`NONE`	`NONE`	—	No database access found

9 项发现

🔗

中危外部 URL 外部 URL

https://duckduckgo.com/html/?q=你的主题

README.md:30

🔗

中危外部 URL 外部 URL

https://www.understandingwar.org/research/middle-east/iran-update-special-report-april-1-2026/

results.json:4

🔗

中危外部 URL 外部 URL

https://www.aljazeera.com/news/liveblog/2026/4/2/iran-war-live-trump-to-address-nation-tehran-denies-seeking-ceasefire

results.json:9

🔗

中危外部 URL 外部 URL

https://www.cnn.com/2026/04/02/world/live-news/iran-war-us-trump-oil-intl-hnk

results.json:14

🔗

中危外部 URL 外部 URL

https://en.wikipedia.org/wiki/2026_Iran_war

results.json:19

🔗

中危外部 URL 外部 URL

https://www.nytimes.com/live/2026/04/02/world/iran-war-trump-news

results.json:24

🔗

中危外部 URL 外部 URL

https://duckduckgo.com/html/?q=

run.py:57

🔗

中危外部 URL 外部 URL

https://api.minimax.chat/v1/text/chatcompletion_v2

run.py:95

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:287

目录结构

5 文件 · 37.5 KB · 1048 行

Python 1f · 646L Markdown 2f · 368L JSON 2f · 34L

├─ 📋 package.json JSON 8L · 179 B

├─ 📝 README.md Markdown 76L · 1.6 KB

├─ 📋 results.json JSON 26L · 2.1 KB

├─ 🐍 run.py Python 646L · 24.4 KB

└─ 📝 SKILL.md Markdown 292L · 9.3 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`python-docx`	`*`	pip	否	Standard package for DOCX generation
`requests`	`*`	pip	否	Standard HTTP library for LLM API calls

安全亮点

✓ All subprocess usage (mcporter, mail.py) is explicitly documented in SKILL.md

✓ API keys (MINIMAX_API_KEY, OPENAI_API_KEY) are declared as optional and properly scoped

✓ Third-party LLM data transmission is declared with warnings in SKILL.md

✓ No base64 encoding, obfuscation, or anti-analysis patterns present

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env beyond its own)

✓ No credential exfiltration — API keys are used only for their declared LLM purpose

✓ File write operations are scoped to the working directory (DOCX report output)

✓ subprocess calls are limited to two known external tools (mcporter, mail.py)

✓ No remote code execution, reverse shell, or C2 communication patterns

✓ No supply chain risks — dependencies (python-docx, requests) are standard, pinned in SKILL.md