疯信子AI资讯
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is mostly purpose-aligned for generating AI news and saving it to a note service, but users should notice its undeclared dependencies, API-key use, external note upload, and optional scheduled execution.
Before installing, verify the ddgs package and the Get笔记 API endpoint, configure a scoped API key through environment variables, and only enable the cron example if you want the skill to run automatically every day.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global search tool adds external code to the user’s environment.
The skill asks users to install a global external package, but the registry install spec declares no required binaries or packages. This is aligned with the search-news purpose, but the package source/version is not pinned or captured by the install metadata.
npm install -g ddgs
Verify the ddgs package source and version before installing, and prefer a pinned/local installation if possible.
The API key may allow the script to create or modify notes in the connected GetNote account.
The script uses a GetNote API key and client ID to authenticate note creation. This is expected for saving to the user's note account, and the artifacts do not show hardcoded credentials or unrelated credential use.
GETNOTE_KEY="${GETNOTE_API_KEY:-}" ... -H "Authorization: ${GETNOTE_KEY}"Use the least-privileged API key available, keep it out of shared logs/files, and revoke it if the skill is no longer used.
Generated report content will be stored by the external note provider, and the user’s API credential is presented to that endpoint.
Generated report content and authentication headers are sent to an external note-service API. This is purpose-aligned, though the exact API host differs from the setup URL shown in SKILL.md.
curl -s -X POST "https://openapi.biji.com/open/api/v1/resource/note/save"
Confirm that openapi.biji.com is the intended Get笔记 API endpoint before using real credentials.
If enabled, the script may run every day and create notes without a fresh manual prompt each time.
The documentation suggests an optional cron job for daily execution. This is disclosed and user-directed, but it creates ongoing automation that can keep using the configured API key.
0 8 * * * /path/to/ai-news-generator/scripts/generate.sh >> /path/to/logs/ai-news.log 2>&1
Only add the cron job if recurring posting is desired, and remove it when the automation is no longer needed.