中国官方经济资讯
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to fetch public Chinese economic news as described, with minor caveats around its fallback script, undeclared dependencies, and source-verification robustness.
This looks safe for fetching public economic news. Before installing, be aware that the fallback script may run locally, may require installing Python dependencies, and should not be treated as a perfectly guaranteed official-only feed unless its domain and TLS checks are strengthened.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the web tools are unavailable, the agent may execute the bundled script to fetch public news results.
The skill may run an included Python script as a fallback. This is disclosed and aligned with fetching public news, but users should know local command execution is part of the workflow.
策略 C — 脚本工具(兜底):运行 `scripts/fetch_news.py`。 ... python3 scripts/fetch_news.py --limit 15 --keyword 经济
Keep script execution user-visible, and review the included script before relying on the fallback.
The fallback may not work until dependencies are installed, and manual package installation carries normal package-source trust considerations.
The fallback script depends on an external Python package, but the metadata declares no required binaries, environment variables, or install spec. This is a setup/provenance gap rather than hidden behavior.
try:
import requests
except ImportError:
print("需要安装依赖: pip3 install requests", file=sys.stderr)Declare Python/package requirements in install metadata or a requirements file, and pin dependency versions where practical.
Returned links are intended to be official, but a misleading URL or network tampering could reduce trust in the results; no private data exposure is evidenced.
The skill emphasizes official-only sourcing, but the fallback script uses substring URL matching and disables TLS certificate verification for RSS fetching. That makes source authenticity best-effort rather than strongly enforced.
# site: 限定官方域名,确保质量 ... if url and not any(site in url for site in OFFICIAL_SITES): return True ... requests.get(feed["url"], headers=HEADERS, timeout=10, verify=False)
Validate parsed hostnames against exact approved domains or subdomains, keep TLS verification enabled, and verify important news links before relying on them.