Cctv News Fetcher Litiao
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says: run a bundled JavaScript crawler to fetch public CCTV news pages for a requested date, with a few minor setup and disclosure notes.
This looks like a straightforward public-news crawler. Before installing, make sure you are comfortable with it running a local JavaScript script, making web requests to CCTV pages, and using the included npm dependency. Consider removing the hard-coded Cookie header or restricting fetched links to CCTV domains if you want a tighter security posture.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will run a local JavaScript crawler process when the user asks for news.
The skill tells the agent to run a bundled JavaScript file. This is expected for a crawler skill and the provided script matches the stated purpose, but it is still local code execution the user should be aware of.
Execute the script at `{baseDir}/scripts/news_crawler.js` using `bun` or `node`.Install only if you are comfortable running the included script and have the needed Node/Bun runtime and dependency available.
The skill may fail or require manual dependency/runtime setup if Node/Bun or node-html-parser is not available.
The artifacts include package.json/package-lock.json and SKILL.md says the skill depends on node-html-parser and Bun/Node, but installation is not automated or fully declared in the install spec. This is a setup clarity issue, not evidence of malicious behavior.
No install spec — this is an instruction-only skill.
Before use, verify the local runtime and dependencies are installed from the included package-lock.json or another trusted source.
The script may make additional outbound web requests to URLs listed on the source page.
The crawler follows links extracted from fetched CCTV pages. This is normal for the stated news-fetching purpose, but the code does not explicitly restrict followed links to CCTV domains.
const pageUrls = soup.querySelectorAll('li a').slice(1).map(a => a.getAttribute('href') || ''); ... fetch(pageUrl, { headers });If tighter network control is needed, add host allowlisting for tv.cctv.com and cctv.cntv.cn.
Requests made by the crawler include a static cookie value, which may be unnecessary or could affect request tracking by the remote site.
The script sends a hard-coded Cookie header while the metadata declares no credential requirement. There is no evidence it reads user cookies or secrets, so this is a disclosure note rather than a privilege-abuse concern.
'Cookie': 'cna=DLYSGBDthG4CAbRVCNxSxGT6'
Remove the hard-coded Cookie header unless it is required, or clearly document why it is included.