quotedance-rss-digest Security Report — Trusted | ClawSafe

5 /100

quotedance-rss-digest

RSS资讯流聚合技能 - Aggregates user's RSS feed subscriptions into a Markdown digest

RSS aggregation skill that legitimately fetches and caches feeds from user subscriptions without any malicious activity.

Skill Namequotedance-rss-digest

Duration24.9s

Enginepi

✓

Safe to install

No action needed. The skill operates as documented with standard RSS feed fetching, local caching, and Markdown output.

Findings 1 items

Severity	Finding	Location
Low	API key field declared but empty The config.json has an 'apiKey' field with an empty string value. While documented in SKILL.md, users must ensure this is configured with a valid key if X-API-Key authentication is required. `"apiKey": ""` → Ensure valid API key is configured in production or document that the service may work without authentication	`config.json:3`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	Reads config.json, writes cache files to memory/ directory
Network	`READ`	`READ`	✓ Aligned	Fetches from quotedance-service API and RSS feeds
Shell	`NONE`	`NONE`	—	No shell execution found
Environment	`READ`	`READ`	✓ Aligned	Reads QUTEDANCE_API_KEY from process.env
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No database access found

3 findings

🔗

Medium External URL 外部 URL

https://quotedance.api.gapgap.cc

SKILL.md:17

🔗

Medium External URL 外部 URL

https://36kr.com/feed

memory/rss-source-cache.json:10

🔗

Medium External URL 外部 URL

https://xueqiu.com/hots/topic/rss

memory/rss-source-cache.json:18

4 files · 22.8 KB · 797 lines

JavaScript 1f · 577L Markdown 1f · 149L JSON 2f · 71L

├─ ▾ 📁 memory

│ └─ 📋 rss-source-cache.json JSON 60L · 1.8 KB

├─ ▾ 📁 scripts

│ └─ 📜 rss-digest.js JavaScript 577L · 15.7 KB

├─ 🔑 config.json ⚠ JSON 11L · 230 B

└─ 📝 SKILL.md Markdown 149L · 5.2 KB

✓ No shell execution (no child_process, exec, or spawn calls)

✓ No credential harvesting or data exfiltration

✓ No base64 encoding, obfuscation, or eval statements

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No curl|bash or wget|sh remote script execution

✓ Clear, readable code with proper error handling

✓ Local caching is scoped to skill directory only

✓ Code matches documentation in SKILL.md