基金新闻日报
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to scrape public fund-news websites and generate reports as described, but users should notice that it may automatically install third-party packages on first use.
This looks appropriate for generating public fund-news summaries. Before using it, confirm you are comfortable letting the agent install `agent-browser` and `python-docx`; for safer use, install vetted versions yourself or run it in an isolated environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may install software on the user’s machine before running the report, which can persist beyond the task.
The skill discloses automatic installation of third-party dependencies, including a global npm package and an unpinned pip package. This is aligned with scraping and Word output, but users should be aware of local environment changes and package provenance risk.
首次使用时,AI会自动检测并安装以下依赖: ... npm install -g agent-browser ... pip install python-docx
Review and approve dependency installation explicitly; consider preinstalling trusted versions, using a virtual environment, and avoiding global installs when possible.