daily-news-brief Security Report — Trusted | ClawSafe

5 /100

daily-news-brief

聚合并整理多源新闻，按科技/财经/AI/智能体分类排序，生成 Markdown 摘要并可定时执行

Legitimate news aggregation skill with no malicious behavior. Pre-flagged shell commands are false positives (skill self-cleanup, not system destruction).

Skill Namedaily-news-brief

Duration39.9s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Findings 1 items

Severity	Finding	Location
Low	Pre-scan IOC: Shell command pattern detection QuickStartGuide.md line 302-306 contains shell commands starting with 'rm -rf ~' and 'rm -rf /'. However, inspection reveals these are false positives - the commands are 'rm -rf ~/.daily-news-brief' and 'rm -rf ~/daily-news-brief' which remove only the skill's own directories, not system paths. `rm -rf ~/.daily-news-brief rm -rf ~/daily-news-brief` → No action needed. These are legitimate uninstall instructions that remove only skill-owned data.	`QuickStartGuide.md:302-306`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Save MD docs to ~/daily-news-brief/ (lines 3-4 SKILL.md)
Network	`READ`	`READ`	✓ Aligned	RSS/web fetching from news sources (FetchNews.ts)
Shell	`WRITE`	`WRITE`	✓ Aligned	cron setup via 'openclaw cron add' or crontab (Setup.md step 7)
Environment	`NONE`	`NONE`	—	No env access observed
Skill Invoke	`NONE`	`NONE`	—	No skill invocation chain
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser control
Database	`NONE`	`NONE`	—	No database access

2 Critical 7 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf ~

QuickStartGuide.md:302

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

QuickStartGuide.md:306

🔗

Medium External URL 外部 URL

https://36kr.com/feed

QuickStartGuide.md:27

🔗

Medium External URL 外部 URL

https://www.huxiu.com/rss/0.xml

QuickStartGuide.md:33

🔗

Medium External URL 外部 URL

https://www.caixin.com/rss/rss_newstech.xml

QuickStartGuide.md:39

🔗

Medium External URL 外部 URL

https://www.jiqizhixin.com/rss

QuickStartGuide.md:45

🔗

Medium External URL 外部 URL

https://xinzhiyuan.ai/feed

QuickStartGuide.md:201

File Tree

11 files · 60.1 KB · 2343 lines

Markdown 5f · 1469L TypeScript 6f · 874L

├─ ▾ 📁 tools

│ ├─ 📜 Configure.ts TypeScript 281L · 8.6 KB

│ ├─ 📜 FetchNews.ts TypeScript 171L · 4.9 KB

│ ├─ 📜 MarkdownGenerator.ts TypeScript 126L · 3.9 KB

│ ├─ 📜 NewsClassifier.ts TypeScript 116L · 3.5 KB

│ ├─ 📜 NewsFetcher.ts TypeScript 99L · 3.0 KB

│ └─ 📜 types.ts TypeScript 81L · 1.9 KB

├─ ▾ 📁 workflows

│ ├─ 📝 Configure.md Markdown 390L · 7.6 KB

│ ├─ 📝 FetchNews.md Markdown 315L · 7.8 KB

│ └─ 📝 Setup.md Markdown 228L · 5.0 KB

├─ 📝 QuickStartGuide.md Markdown 357L · 7.0 KB

└─ 📝 SKILL.md Markdown 179L · 6.9 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`rss-parser`	`^3.13.0`	npm	No	Pinned major version
`cheerio`	`^1.0.0-rc.12`	npm	No	Pinned major version

Security Positives

✓ Clear documentation with explicit capability declarations

✓ No credential harvesting or exfiltration

✓ No base64-encoded or obfuscated code

✓ No eval() or dynamic code execution

✓ Filesystem access limited to skill-specific directory (~/.daily-news-brief/)

✓ Network access declared and restricted to legitimate news sources

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Uses standard libraries (rss-parser, cheerio) with version dependencies documented

✓ OpenClaw integration via documented CLI interface

Scan Report

Findings 1 items

File Tree

Dependencies 2 items

Security Positives