Scan Report
15 /100
news-watcher
实时监听 CoinDesk / PANews 虚拟货币新闻,新文章发布后自动抓取全文、AI 总结并推送 Telegram
合法的加密货币新闻监听工具,代码开源透明,无恶意行为,仅存在依赖版本未锁定等轻微瑕疵
Safe to install
可安全使用,建议锁定 playwright 和 crypto 依赖版本以避免供应链风险
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | 依赖版本未锁定 Supply Chain | package.json:17 |
| Info | Chrome 路径硬编码 Priv Escalation | scripts/watch-news.js:169 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | scripts/watch-news.js:52 - 写入 ~/.openclaw/cache/news-hash.json |
| Network | READ | READ | ✓ Aligned | scripts/watch-news.js:169 - page.goto() 访问新闻网站 |
| Shell | NONE | WRITE | ✓ Aligned | scripts/watch-news.js:12 - execFileSync 仅用于调用 openclaw.mjs |
| Environment | READ | READ | ✓ Aligned | scripts/watch-news.js:8-11 - 读取 OPENCLAW_MJS, TELEGRAM_USER_ID 等配置 |
| Browser | WRITE | WRITE | ✓ Aligned | scripts/watch-news.js:169-175 - Playwright 浏览器自动化 |
2 findings
Medium External URL 外部 URL
https://www.coindesk.com/zh scripts/watch-news.js:35 Medium External URL 外部 URL
https://www.panewslab.com/zh scripts/watch-news.js:41 File Tree
6 files · 34.8 KB · 1123 lines JavaScript 1f · 373L
Text 1f · 373L
Markdown 2f · 299L
JSON 2f · 78L
├─
▾
scripts
│ └─
watch-news.js
JavaScript
├─
package.json
JSON
├─
README.md
Markdown
├─
skill.json
JSON
├─
SKILL.md
Markdown
└─
watch-news.txt
Text
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
playwright | ^1.40.0 | npm | No | 版本未锁定,建议使用精确版本 |
crypto | ^1.0.1 | npm | No | Node.js 内置模块,单独安装版本意义不大 |
Security Positives
✓ 完全开源(GitHub: https://github.com/vvxer/openclaw-news-watcher)
✓ 代码清晰易读,无混淆或隐藏逻辑
✓ 不访问敏感路径(~/.ssh、~/.aws、.env 等)
✓ 不扫描或收割环境变量中的凭证
✓ 网络请求均为合法新闻网站和 Telegram API
✓ 使用 execFileSync 而非 exec/popen,限制在单一已知二进制
✓ 文档详细,声称与实际行为一致