TrendScope Security Report — Low Risk | ClawSafe

25 /100

TrendScope

舆情趋势洞察技能，根据用户需求自动生成专业的舆情分析报告

TrendScope 是一个合法的舆情分析工具，代码功能与文档声明一致，但存在硬编码外部 IP 地址的可疑行为

Skill NameTrendScope

Duration37.4s

Enginepi

✓

Safe to install

建议确认 API 服务提供商可信性，若用于生产环境应使用域名替代硬编码 IP

Findings 3 items

Severity	Finding	Location
Medium	硬编码外部服务器 IP API 端点地址使用硬编码 IP 而非域名，隐藏了真实服务端位置，不符合安全最佳实践 `API_BASE_URL = "http://221.6.15.90:18011"` → 使用 DNS 域名替代硬编码 IP，便于追溯和更换	`scripts/report_cli.py:31`
Low	依赖库无版本锁定 requests 和 python-dotenv 等依赖未指定版本，可能引入供应链风险 `import requests; from dotenv import load_dotenv` → 建议在 requirements.txt 中锁定具体版本	`scripts/report_cli.py:17`
Low	HTML 模板含外部 URL assets/report_template.html 包含多个指向抖音的外部链接 `https://www.iesdouyin.com/share/video/...` → 示例数据中的外部链接无安全风险，但建议添加 rel="noopener"	`assets/report_template.html:128`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	scripts/report_cli.py:58 读取 .env 配置
Network	`READ`	`READ`	✓ Aligned	scripts/report_cli.py:352 POST 请求到外部 API

1 High 25 findings

📡

High IP Address 硬编码 IP 地址

221.6.15.90

scripts/report_cli.py:31

🔗

Medium External URL 外部 URL

https://gitee.com/feedax/trend-scope.git

README.md:28

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616212349669707051

assets/report_template.html:128

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616302367981542827?app=aweme_hotsoon

assets/report_template.html:137

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616302367981542827

assets/report_template.html:150

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616252003953726331

assets/report_template.html:163

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615977402434470065

assets/report_template.html:172

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615977402434470065?app=aweme_hotsoon

assets/report_template.html:181

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/note/7616237602023131003

assets/report_template.html:190

🔗

Medium External URL 外部 URL

https://channels.weixin.qq.com/web/pages/feed?oid=zm3U7fZbCIc=

assets/report_template.html:199

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615885724918963706

assets/report_template.html:208

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616293025266599354

assets/report_template.html:217

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616293025266599354?app=aweme_hotsoon

assets/report_template.html:226

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615762266093762150

assets/report_template.html:235

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615762266093762150?app=aweme_hotsoon

assets/report_template.html:244

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615878342323896955

assets/report_template.html:253

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616218991946856421?app=aweme_hotsoon

assets/report_template.html:262

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616218991946856421

assets/report_template.html:271

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615898405571933166

assets/report_template.html:280

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615898405571933166?app=aweme_hotsoon

assets/report_template.html:289

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615831326072333925

assets/report_template.html:298

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615833208143252081?app=aweme_hotsoon

assets/report_template.html:307

🔗

Medium External URL 外部 URL

http://221.6.15.90:18011

scripts/report_cli.py:31

🔗

Medium External URL 外部 URL

https://www.feedax.cn

scripts/report_cli.py:352

🔗

Medium External URL 外部 URL

https://www.feedax.cn免费申请，完成后请告诉我API

skill.md:31

File Tree

4 files · 86.9 KB · 2001 lines

Python 1f · 1023L Markdown 2f · 630L HTML 1f · 348L

├─ ▾ 📁 assets

│ └─ 📄 report_template.html HTML 348L · 23.5 KB

├─ ▾ 📁 scripts

│ └─ 🐍 report_cli.py Python 1023L · 38.5 KB

├─ 📝 README.md Markdown 63L · 1.7 KB

└─ 📝 skill.md Markdown 567L · 23.2 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	无版本锁定，标准 HTTP 库
`python-dotenv`	`*`	pip	No	无版本锁定，环境变量管理

Security Positives

✓ 代码功能与 SKILL.md 文档声明完全一致，无阴影功能

✓ API Key 通过环境变量管理，未硬编码在代码中

✓ 无凭证收割、远程执行、数据窃取等恶意行为

✓ 报告输出到用户桌面目录，符合工具类技能正常行为

✓ 使用标准 requests 库进行 HTTP 通信，无可疑网络行为

✓ 错误处理完善，无敏感信息泄露风险

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives