Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# 新闻爬虫依赖 requests>=2.28.0 beautifulsoup4>=4.11.0 openpyxl>=3.0.0
- Confidence
- 95% confidence
- Finding
- requests>=2.28.0
news-scraper-xiaobai
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward AI news scraper with ordinary network and local-file behavior, but its dependency hygiene should be improved.
Install only in a Python environment where you are comfortable running a public-news scraper. Prefer pinning or locking dependencies before use, consider removing unused openpyxl, and ignore any instructions that might appear inside scraped article text.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# 新闻爬虫依赖 requests>=2.28.0 beautifulsoup4>=4.11.0 openpyxl>=3.0.0
- Confidence
- 95% confidence
- Finding
- beautifulsoup4>=4.11.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
requests>=2.28.0 beautifulsoup4>=4.11.0 openpyxl>=3.0.0
- Confidence
- 96% confidence
- Finding
- openpyxl>=3.0.0
Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more
High
- Category
- Supply Chain
- Confidence
- 89% confidence
- Finding
- requests
Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)
High
- Category
- Supply Chain
- Confidence
- 93% confidence
- Finding
- openpyxl
VirusTotal
66/66 vendors flagged this skill as clean.