daily-news-brief 安全扫描报告 — 可信 | ClawSafe

5 /100

daily-news-brief

聚合并整理多源新闻，按科技/财经/AI/智能体分类排序，生成 Markdown 摘要并可定时执行

Legitimate news aggregation skill with no malicious behavior. Pre-flagged shell commands are false positives (skill self-cleanup, not system destruction).

技能名称daily-news-brief

分析耗时39.9s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

安全发现 1 项

严重性	安全发现	位置
低危	Pre-scan IOC: Shell command pattern detection QuickStartGuide.md line 302-306 contains shell commands starting with 'rm -rf ~' and 'rm -rf /'. However, inspection reveals these are false positives - the commands are 'rm -rf ~/.daily-news-brief' and 'rm -rf ~/daily-news-brief' which remove only the skill's own directories, not system paths. `rm -rf ~/.daily-news-brief rm -rf ~/daily-news-brief` → No action needed. These are legitimate uninstall instructions that remove only skill-owned data.	`QuickStartGuide.md:302-306`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Save MD docs to ~/daily-news-brief/ (lines 3-4 SKILL.md)
网络访问	`READ`	`READ`	✓ 一致	RSS/web fetching from news sources (FetchNews.ts)
命令执行	`WRITE`	`WRITE`	✓ 一致	cron setup via 'openclaw cron add' or crontab (Setup.md step 7)
环境变量	`NONE`	`NONE`	—	No env access observed
技能调用	`NONE`	`NONE`	—	No skill invocation chain
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser control
数据库	`NONE`	`NONE`	—	No database access

2 严重 7 项发现

💀

严重危险命令危险 Shell 命令

rm -rf ~

QuickStartGuide.md:302

💀

严重危险命令危险 Shell 命令

rm -rf /

QuickStartGuide.md:306

🔗

中危外部 URL 外部 URL

https://36kr.com/feed

QuickStartGuide.md:27

🔗

中危外部 URL 外部 URL

https://www.huxiu.com/rss/0.xml

QuickStartGuide.md:33

🔗

中危外部 URL 外部 URL

https://www.caixin.com/rss/rss_newstech.xml

QuickStartGuide.md:39

🔗

中危外部 URL 外部 URL

https://www.jiqizhixin.com/rss

QuickStartGuide.md:45

🔗

中危外部 URL 外部 URL

https://xinzhiyuan.ai/feed

QuickStartGuide.md:201

目录结构

11 文件 · 60.1 KB · 2343 行

Markdown 5f · 1469L TypeScript 6f · 874L

├─ ▾ 📁 tools

│ ├─ 📜 Configure.ts TypeScript 281L · 8.6 KB

│ ├─ 📜 FetchNews.ts TypeScript 171L · 4.9 KB

│ ├─ 📜 MarkdownGenerator.ts TypeScript 126L · 3.9 KB

│ ├─ 📜 NewsClassifier.ts TypeScript 116L · 3.5 KB

│ ├─ 📜 NewsFetcher.ts TypeScript 99L · 3.0 KB

│ └─ 📜 types.ts TypeScript 81L · 1.9 KB

├─ ▾ 📁 workflows

│ ├─ 📝 Configure.md Markdown 390L · 7.6 KB

│ ├─ 📝 FetchNews.md Markdown 315L · 7.8 KB

│ └─ 📝 Setup.md Markdown 228L · 5.0 KB

├─ 📝 QuickStartGuide.md Markdown 357L · 7.0 KB

└─ 📝 SKILL.md Markdown 179L · 6.9 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`rss-parser`	`^3.13.0`	npm	否	Pinned major version
`cheerio`	`^1.0.0-rc.12`	npm	否	Pinned major version

安全亮点

✓ Clear documentation with explicit capability declarations

✓ No credential harvesting or exfiltration

✓ No base64-encoded or obfuscated code

✓ No eval() or dynamic code execution

✓ Filesystem access limited to skill-specific directory (~/.daily-news-brief/)

✓ Network access declared and restricted to legitimate news sources

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Uses standard libraries (rss-parser, cheerio) with version dependencies documented

✓ OpenClaw integration via documented CLI interface