risk-sentiment-scanner
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Company names and risk-search terms may be sent to web-search or extraction providers, and the final report depends on retrieved public pages.
The skill directs the agent to use web-search and page-extraction tools with the provided company names. This is disclosed and bounded, but it sends user-provided or remembered company lists into external search/content flows.
使用 `batch_web_search` 工具,每个企业最多抓取 **8 条搜索结果**。...使用 `extract_content_from_websites` 提取正文内容。
Use it only for company lists you are comfortable searching externally, and review the cited sources before acting on the report.
A stored watchlist or saved reports may reveal business monitoring priorities and may drive future scheduled scans.
The skill can reuse a persistent watchlist and save reports for future use. This is purpose-aligned monitoring behavior, but persistent entries can become stale, sensitive, or influence later scans.
从 `memory/risk-watchlist.md` 读取企业名单...可选:保存至 `memory/risk-reports/YYYY-MM-DD.md`
Keep the watchlist private and curated, avoid adding confidential notes, and review it before enabling periodic scans.
Risk reports could be written to a Feishu workspace and become visible according to that workspace's document-sharing settings.
The skill can optionally hand results to another Feishu integration, which may use workspace permissions. This is disclosed and optional, but it is not reflected as a credential requirement in metadata.
可选:推送至飞书文档(通过 Feishu Skill 接口)
Only enable Feishu push after confirming the destination account, document permissions, and whether the report contains sensitive company monitoring information.
If you manually run the helper, you need a trusted Node runtime and should understand that it reads an input file and writes a local report.
An executable Node helper script is included even though metadata lists no install spec or required binaries. The script uses built-in file operations and is not automatically executed, so this is a disclosure/provenance note rather than a malicious indicator.
#!/usr/bin/env node ... node scan.js --file companies.txt
Review the helper before manual execution, and consider updating metadata to declare the Node helper/runtime if it is intended to be used.