metal-price Security Report — Low Risk | ClawSafe

20 /100

metal-price

Daily non-ferrous metals briefing — collects Cu/Zn/Ni/Co/Mg/Bi prices from Yahoo Finance, CCMN, SMM, Westmetall, and delivers a six-section investment research report via Telegram at 14:00 CST

Legitimate non-ferrous metals price aggregator using public financial data APIs; no malicious behavior found, but SKILL.md fails to declare the child_process.execFile shell invocation required to run sub-scripts.

Skill Namemetal-price

Duration71.0s

Enginepi

✓

Safe to install

Add 'shell:WRITE' to the declared capability map and document the subprocess/execFile usage in SKILL.md. The test-sources.mjs file contains a placeholder IP (122.0.0.0) in a User-Agent string; replace it with a real browser version string to avoid confusion.

Findings 4 items

Severity	Finding	Location
Medium	Undeclared shell execution via child_process.execFile scripts/daily-report.mjs uses execFile to invoke node subprocesses for running fetch-all-data.mjs. This requires shell:WRITE capability which is entirely absent from SKILL.md's declared capability map. While the purpose (running the price-fetching script) is legitimate, the undeclared permission is a doc-to-code mismatch. `const { stdout, stderr } = await execFileAsync(process.execPath, [scriptPath], { timeout: 60000, maxBuffer: 4 * 1024 * 1024 });` → Add shell:WRITE to the SKILL.md capability declaration, or restructure the skill to use a single-script design that avoids subprocess spawning.	`scripts/daily-report.mjs:51`
Low	Placeholder IP address 122.0.0.0 in browser User-Agent string scripts/test-sources.mjs line 47 embeds '122.0.0.0' within a Chrome/Chromium User-Agent header. This appears to be a placeholder fingerprint rather than a genuine C2 indicator — it is used to access the legitimate LME.com API endpoint and is followed by a full Chrome/Chromium version string. However, it creates a false-positive IOC. `'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36'` → Replace '122.0.0.0' with a real Chrome version number (e.g., 122.0.0.1234) to eliminate ambiguity.	`scripts/test-sources.mjs:47`
Low	Missing environment variable capability declaration The skill reads TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID from .env. SKILL.md documents these env vars but doesn't formally declare environment:READ. The env reading is confined to the project's own .env only, which is low-risk. `const env = loadEnv(); const token = env.TELEGRAM_BOT_TOKEN;` → Document that the skill reads its own .env file for Telegram configuration only.	`scripts/send-telegram.mjs:24`
Info	No dependencies declared beyond Node.js built-ins package.json has no external npm dependencies — all functionality uses native Node.js modules (fetch, fs, path, child_process, util, readline, querystring). This is a positive security characteristic. `"type": "module", // no external dependencies` → No action needed; zero-dependency design minimizes supply-chain risk.	`package.json:1`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All network I/O is via native fetch() calling public financial APIs (Yahoo Finan…
Shell	`NONE`	`WRITE`	✗ Violation	scripts/daily-report.mjs:51 — execFile(process.execPath, [scriptPath]) spawns a …
Filesystem	`NONE`	`READ`	✓ Aligned	scripts/daily-report.mjs:33 reads .env via readFileSync (only the project's own …
Environment	`NONE`	`READ`	✓ Aligned	Telegram credentials (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) are read from .env v…

1 High 65 findings

📡

High IP Address 硬编码 IP 地址

122.0.0.0

scripts/test-sources.mjs:47

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot$

scripts/daily-report.mjs:514

🔗

Medium External URL 外部 URL

https://m.ccmn.cn/mhangqing/getCorpStmarketPriceList?marketVmid=40288092327140f601327141c0560001

scripts/fetch-all-data.mjs:28

🔗

Medium External URL 外部 URL

https://m.ccmn.cn/mhangqing/mcjxh/

scripts/fetch-all-data.mjs:32

🔗

Medium External URL 外部 URL

http://app.ometal.cn/data/mlist.asp

scripts/fetch-all-data.mjs:83

🔗

Medium External URL 外部 URL

http://app.ometal.cn/

scripts/fetch-all-data.mjs:94

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/$

scripts/fetch-all-data.mjs:163

🔗

Medium External URL 外部 URL

https://hq.smm.cn/h5/bismuth-price

scripts/fetch-all-data.mjs:254

🔗

Medium External URL 外部 URL

https://www.smm.cn/

scripts/fetch-all-data.mjs:266

🔗

Medium External URL 外部 URL

https://hq.smm.cn/h5/$

scripts/fetch-all-data.mjs:361

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php?action=table&field=LME_XX_stock

scripts/fetch-all-data.mjs:470

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php?action=table&field=$

scripts/fetch-all-data.mjs:490

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php

scripts/fetch-all-data.mjs:496

🔗

Medium External URL 外部 URL

https://www.lme.com/Market-Data/Reports-and-data/Warehouse-Stock-Statistics

scripts/fetch-all-data.mjs:598

🔗

Medium External URL 外部 URL

https://api.investing.com/api/financialdata/assets/equitiesByType?country=&type=metals&page=0&pageSize=20

scripts/fetch-all-data.mjs:638

🔗

Medium External URL 外部 URL

https://news.google.com/rss/search?q=%E6%9C%89%E8%89%B2%E9%87%91%E5%B1%9E+%E4%BB%B7%E6%A0%BC&hl=zh-CN&gl=CN&ceid=CN:zh-H...

scripts/fetch-all-data.mjs:692

🔗

Medium External URL 外部 URL

https://news.google.com/rss/search?q=$

scripts/fetch-all-data.mjs:730

🔗

Medium External URL 外部 URL

https://www.reddit.com/r/Commodities/top.json?t=week&limit=25

scripts/fetch-all-data.mjs:842

🔗

Medium External URL 外部 URL

https://www.reddit.com/r/Commodities/hot.json?limit=25

scripts/fetch-all-data.mjs:846

🔗

Medium External URL 外部 URL

https://reddit.com$

scripts/fetch-all-data.mjs:861

🔗

Medium External URL 外部 URL

https://tradingeconomics.com/commodity/cobalt

scripts/fetch-all-data.mjs:942

🔗

Medium External URL 外部 URL

https://www.dailymetalprice.com/metalpricecharts.php?c=co&u=usd&d=5

scripts/fetch-all-data.mjs:984

🔗

Medium External URL 外部 URL

https://www.dailymetalprice.com/

scripts/fetch-all-data.mjs:988

🔗

Medium External URL 外部 URL

https://query1.finance.yahoo.com/v8/finance/chart/USDCNY=X?interval=1d&range=2d

scripts/fetch-all-data.mjs:1019

🔗

Medium External URL 外部 URL

https://feeds.reuters.com/reuters/UKBusinessNews

scripts/fetch-news.mjs:94

🔗

Medium External URL 外部 URL

https://finance.yahoo.com/rss/topstories

scripts/fetch-news.mjs:99

🔗

Medium External URL 外部 URL

https://stooq.com/q/l/?s=$

scripts/fetch-prices.mjs:92

🔗

Medium External URL 外部 URL

https://www.shfe.com.cn/data/dailydata/WarehouseReceipt20260317.dat

scripts/test-sources.mjs:5

🔗

Medium External URL 外部 URL

https://www.shfe.com.cn/data/dailydata/wr/wr20260317.dat

scripts/test-sources.mjs:6

🔗

Medium External URL 外部 URL

https://datacenter.shfe.com.cn/statement/datatype/WareHouseReceipt//otc

scripts/test-sources.mjs:7

🔗

Medium External URL 外部 URL

https://www.shfe.com.cn/

scripts/test-sources.mjs:12

🔗

Medium External URL 外部 URL

https://www.macrotrends.net/assets/php/fund_and_commodity_chart_data_download.php?t=HG00&type=price

scripts/test-sources.mjs:22

🔗

Medium External URL 外部 URL

https://www.macrotrends.net/

scripts/test-sources.mjs:23

🔗

Medium External URL 外部 URL

https://hq.smm.cn/h5/

scripts/test-sources.mjs:33

🔗

Medium External URL 外部 URL

https://www.lme.com/api/Reports/WarehouseStockByMetalReportDownload?fileName=&isInternal=false

scripts/test-sources.mjs:45

🔗

Medium External URL 外部 URL

https://api.worldbank.org/v2/en/indicator/PCOPP.USD?downloadformat=json&mrv=5

scripts/test-sources.mjs:72

🔗

Medium External URL 外部 URL

https://rong360.jin10.com/api/flash_newest?category=0&channel=-1&vip=0

scripts/test-sources2.mjs:6

🔗

Medium External URL 外部 URL

https://flash-api.jin10.com/get_flash_by_category?category=15&count=20&vip=0

scripts/test-sources2.mjs:7

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/reportType/dc_lme_inventory

scripts/test-sources2.mjs:8

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/reportType/dc_copper_inventory

scripts/test-sources2.mjs:9

🔗

Medium External URL 外部 URL

https://www.jin10.com/

scripts/test-sources2.mjs:14

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTU_LME_INVENTORY&columns=ALL&pageSize=10&sortColum...

scripts/test-sources2.mjs:27

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTU_METAL_INVENTORY&columns=ALL&pageSize=10

scripts/test-sources2.mjs:28

🔗

Medium External URL 外部 URL

https://data.eastmoney.com/

scripts/test-sources2.mjs:33

🔗

Medium External URL 外部 URL

https://d.10jqka.com.cn/v2/future/hs_lme_inventory/block/json

scripts/test-sources2.mjs:46

🔗

Medium External URL 外部 URL

https://data.10jqka.com.cn/futures/lme_inventory/

scripts/test-sources2.mjs:47

🔗

Medium External URL 外部 URL

https://d.10jqka.com.cn/v2/report/hs_lme_copper/json

scripts/test-sources2.mjs:48

🔗

Medium External URL 外部 URL

https://www.10jqka.com.cn/

scripts/test-sources2.mjs:53

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/CmeWS/mvc/Settlements/futures/options/tradeDate/20260314/productCode/HG/type/ALL/code/ALL

scripts/test-sources2.mjs:66

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/CmeWS/mvc/Volume/getCombinedVolumeDownloadDetails/tradeDate/20260314/asset/copper.csv

scripts/test-sources2.mjs:67

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/CmeWS/mvc/Warehouse/getCopperWarehouseStocks.json

scripts/test-sources2.mjs:68

🔗

Medium External URL 外部 URL

https://www.cmegroup.com/market-data/reports/warehouse-stock-reports.html

scripts/test-sources2.mjs:69

🔗

Medium External URL 外部 URL

https://www.westmetall.com/en/markdaten.php?action=table&field=LME_Cu_cash

scripts/test-sources2.mjs:87

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/v2/lme/inventory/latest

scripts/test-sources3.mjs:33

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/v3/lme/inventory

scripts/test-sources3.mjs:34

🔗

Medium External URL 外部 URL

https://datacenter.jin10.com/

scripts/test-sources3.mjs:41

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_LME_INVENTORY&columns=ALL&pageSize=5

scripts/test-sources3.mjs:60

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTURES_LME_INVENTORY&columns=ALL&pageSize=5

scripts/test-sources3.mjs:61

🔗

Medium External URL 外部 URL

https://futurold.eastmoney.com/web/api/lme/inventory?page=1&pagesize=5

scripts/test-sources3.mjs:62

🔗

Medium External URL 外部 URL

https://datacenter-web.eastmoney.com/api/data/v1/get?reportName=RPT_FUTU_POSITIONS&columns=ALL&pageSize=5&sortColumns=DA...

scripts/test-sources3.mjs:64

🔗

Medium External URL 外部 URL

https://data.eastmoney.com/futures/

scripts/test-sources3.mjs:69

🔗

Medium External URL 外部 URL

https://www.lme.com/api/Graphs/LMEStockData

scripts/test-sources3.mjs:83

🔗

Medium External URL 外部 URL

https://api.lme.com/warehouse/stock

scripts/test-sources3.mjs:84

🔗

Medium External URL 外部 URL

https://www.lme.com/en-GB/Trading/Physical-market/Warehousing/LME-stocks

scripts/test-sources3.mjs:85

🔗

Medium External URL 外部 URL

https://www.lme.com/

scripts/test-sources3.mjs:93

File Tree

12 files · 124.4 KB · 3085 lines

JavaScript 9f · 2813L Markdown 2f · 262L JSON 1f · 10L

├─ ▾ 📁 scripts

│ ├─ 📜 daily-report.mjs JavaScript 561L · 23.9 KB

│ ├─ 📜 fetch-all-data.mjs JavaScript 1368L · 56.8 KB

│ ├─ 📜 fetch-news.mjs JavaScript 140L · 5.2 KB

│ ├─ 📜 fetch-prices.mjs JavaScript 273L · 8.6 KB

│ ├─ 📜 send-telegram.mjs JavaScript 111L · 2.9 KB

│ ├─ 📜 test-sources.mjs JavaScript 82L · 3.4 KB

│ ├─ 📜 test-sources2.mjs JavaScript 99L · 4.7 KB

│ ├─ 📜 test-sources3.mjs JavaScript 108L · 4.8 KB

│ └─ 📜 test-westmetall.mjs JavaScript 71L · 2.7 KB

├─ 📋 package.json JSON 10L · 225 B

├─ 📝 README.md Markdown 152L · 6.4 KB

└─ 📝 SKILL.md Markdown 110L · 4.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none (Node.js built-ins only)`	`N/A`	Node.js stdlib	No	fetch, fs, path, child_process, util, readline — all native modules, no npm packages

Security Positives

✓ Zero external npm dependencies — all functionality uses Node.js built-in modules, eliminating supply-chain attack risk

✓ All network requests target well-known, legitimate public financial data APIs (Yahoo Finance, CCMN, SMM, Westmetall, LME, Telegram, Google News, Reddit, TradingEconomics)

✓ No base64, eval, atob, or any dynamic code execution patterns

✓ No access to sensitive host paths (~/.ssh, ~/.aws, /etc/passwd, .env beyond the project's own)

✓ No credential exfiltration — Telegram token is only used to POST messages to the user's own configured bot/chat

✓ No reverse shell, C2, data theft, or lateral movement indicators

✓ HTTP endpoints are all over HTTPS (Telegram, Yahoo Finance, CCMN, SMM, Westmetall, LME)

✓ GitHub repository is publicly accessible (RAMBOXIE/metal-price), allowing community review

✓ Error handling includes timeouts, graceful fallbacks across multiple data sources, and crash-safe JSON output

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives