基金新闻日报
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing unpinned packages can expose users to dependency changes or supply-chain risk if a package later changes unexpectedly.
The skill documentation instructs installing external packages without pinned versions. This is purpose-aligned for search and Word generation, but users should be aware that package provenance and versions are not locked.
npm install -g mcporter ... pip install python-docx
Install dependencies from trusted package registries, consider pinning known-good versions, and review the package sources if used in a sensitive environment.
Users may have less certainty that the displayed registry metadata and packaged metadata refer to the same exact release.
The embedded metadata differs from the registry metadata provided for this review, which lists a different owner ID and version 1.0.1. This is a provenance/coherence issue, but the artifact behavior itself remains aligned with the stated purpose.
"ownerId": "kn781r78ayncbf9yk6be7z5e5182mmmc", "version": "1.0.0"
Confirm the publisher and version before installation, especially if relying on this skill in a production or compliance-sensitive workflow.