中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
quotedance-market
全球市场投研情报官 - 专业市场分析日报
标准金融资讯聚合工具,所有功能与声明一致,无恶意行为发现
Skill Namequotedance-market
Duration24.8s
Enginepi
Safe to install
可安全使用,无需额外限制

Findings 1 items

Severity Finding Location
Low
curl降级机制超出声明
config.json中enableCurlFallback=true时,代码会通过execFileSync执行curl命令,属于shell:WRITE能力
return execFileSync('curl', args, { encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] });
→ SKILL.md中声明WebFetch时应说明可能使用curl作为fallback
 scripts/market-scan.js:143
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned scripts/market-scan.js:fetchJson/fetchText
Shell NONE WRITE ✓ Aligned scripts/market-scan.js:curlFetch函数使用execFileSync('curl',...)
Filesystem READ WRITE ✓ Aligned scripts/market-scan.js:saveSnapshot/writeNewsCache创建文件
14 findings
🔗
Medium External URL 外部 URL
https://quotedance.api.gapgap.cc
SKILL.md:31
🔗
Medium External URL 外部 URL
https://query1.finance.yahoo.com/v7/finance/quote?symbols=
scripts/market-scan.js:233
🔗
Medium External URL 外部 URL
https://query2.finance.yahoo.com/v8/finance/chart/
scripts/market-scan.js:252
🔗
Medium External URL 外部 URL
https://stooq.com/q/l/?s=
scripts/market-scan.js:279
🔗
Medium External URL 外部 URL
https://feeds.bloomberg.com/markets/news.rss
scripts/market-scan.js:475
🔗
Medium External URL 外部 URL
https://news.google.com/rss/search?q=Bloomberg+market&hl=en-US&gl=US&ceid=US:en
scripts/market-scan.js:476
🔗
Medium External URL 外部 URL
https://feeds.reuters.com/reuters/businessNews
scripts/market-scan.js:482
🔗
Medium External URL 外部 URL
https://news.google.com/rss/search?q=Reuters+markets&hl=en-US&gl=US&ceid=US:en
scripts/market-scan.js:483
🔗
Medium External URL 外部 URL
https://wallstreetcn.com/rss
scripts/market-scan.js:489
🔗
Medium External URL 外部 URL
https://news.google.com/rss/search?q=%E5%8D%8E%E5%B0%94%E8%A1%97%E8%A7%81%E9%97%BB&hl=zh-CN&gl=CN&ceid=CN:zh-Hans
scripts/market-scan.js:490
🔗
Medium External URL 外部 URL
https://www.jin10.com/rss
scripts/market-scan.js:496
🔗
Medium External URL 外部 URL
https://news.google.com/rss/search?q=%E9%87%91%E5%8D%81%E6%95%B0%E6%8D%AE&hl=zh-CN&gl=CN&ceid=CN:zh-Hans
scripts/market-scan.js:497
🔗
Medium External URL 外部 URL
https://www.coindesk.com/arc/outboundfeeds/rss/
scripts/market-scan.js:502
🔗
Medium External URL 外部 URL
https://www.theblock.co/rss.xml
scripts/market-scan.js:506

File Tree

4 files · 31.2 KB · 1097 lines
JavaScript 1f · 857L Markdown 1f · 201L JSON 2f · 39L
├─ 📁 scripts
│ └─ 📜 market-scan.js JavaScript 857L · 25.7 KB
├─ 📋 _meta.json JSON 5L · 136 B
├─ 🔑 config.json JSON 34L · 813 B
└─ 📝 SKILL.md Markdown 201L · 4.6 KB

Security Positives

✓ 代码结构清晰,所有函数功能与文档声明一致
✓ 无凭证收割、环境变量遍历等敏感操作
✓ 无base64/eval混淆或隐蔽网络通信
✓ 数据源均为知名金融/新闻机构(Yahoo、Bloomberg、Reuters等)
✓ 代理配置从环境变量读取,属常规做法
✓ 本地缓存机制合理,避免重复请求