AI领域重点企业资讯抓取与简报生成
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The provided artifacts match a news-crawling and briefing workflow, with expected web access, optional Ark API summarization, and local output/history, and no evidence of hidden destructive behavior.
Before installing, use trusted RSS/web source configuration files, keep ARK_API_KEY scoped to this workflow if you enable Doubao/Ark summaries, and review where output, logs, and the SQLite history database are stored.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a source configuration or source page is untrusted, the skill may request unintended web URLs from the user's environment.
The crawler fetches configured list pages and follows extracted HTTP links, which is expected for a news crawler but means source configuration should be trusted.
html = self._get_text(list_url) ... links = self._extract_links(html, link_selector=link_selector, base_url=url_prefix) ... self.session.get(url, timeout=self.request_timeout)
Use trusted source_config.xlsx entries, set precise link selectors where possible, and avoid adding internal or sensitive URLs as sources.
Providing an Ark API key lets the workflow call that account's model API and may incur usage under that account.
The skill can use a Volcengine Ark credential for optional summarization; this is purpose-aligned and disclosed, though registry requirements list no required env vars.
Provide API key via environment variable: - `ARK_API_KEY`
Use a dedicated, least-privilege API key if available, monitor usage, and do not place unrelated credentials in the environment.
News content and possibly company-watchlist context may be processed by the external Ark/Doubao service.
Using an external model provider for summarization implies crawled article text or derived content may be sent to that provider when the optional API is enabled.
optionally generates Chinese titles & ~80-char summaries ... via Doubao (Volcengine Ark)
Enable Ark summarization only if the source content is suitable for that provider, and review provider data-handling terms for sensitive business watchlists.
Company-related news history and run metadata may remain on disk after runs.
The workflow persists news history and run logs locally for deduplication and reporting, which is expected but creates retained local state.
CREATE TABLE IF NOT EXISTS news_history ... source_url TEXT UNIQUE ... related_companies TEXT ... CREATE TABLE IF NOT EXISTS run_log
Review the configured database/log paths and retention needs, and delete local history if the watched company list or outputs are sensitive.