xianyu-automation Security Report — Low Risk | ClawSafe

20 /100

xianyu-automation

Enterprise-grade automated operations for Xianyu stores with full lifecycle management and intelligent decision engine

A legitimate Xianyu store automation skill with placeholder code that delegates functionality to external dependencies; no direct malicious behavior observed.

Skill Namexianyu-automation

Duration41.2s

Enginepi

✓

Safe to install

Review the external skill dependencies (xianyu-api-client-skill, xianyu-product-manager-skill) for security before deployment, as this skill imports and relies on them.

Findings 3 items

Severity	Finding	Location
Low	External skill dependency without version pinning The skill imports xianyu_api_client_skill and xianyu_product_manager_skill but does not pin versions or verify source integrity, introducing supply chain risk. `from xianyu_api_client_skill import XianYuAPIClient` → Pin dependency versions and verify package integrity before production use	`__init__.py:4`
Low	External URL in skill metadata SKILL.md metadata contains homepage: https://www.goofish.pro which has not been security-vetted. `homepage: https://www.goofish.pro` → Verify the legitimacy and security of external URLs before trusting them	`SKILL.md:14`
Low	Placeholder implementation The refresh_product_activity method contains TODO comments and placeholder logic rather than functional implementation. `# TODO: 这里需要实现商品更新接口` → Verify implementation completeness before deployment	`__init__.py:48`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in __init__.py
Network	`NONE`	`NONE`	—	Network calls delegated to external xianyu_api_client_skill
Shell	`NONE`	`NONE`	—	No subprocess or shell execution
Environment	`NONE`	`NONE`	—	No direct os.environ access
Skill Invoke	`READ`	`READ`	✓ Aligned	Imports and uses external skills
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database operations

1 findings

🔗

Medium External URL 外部 URL

https://www.goofish.pro

SKILL.md:14

File Tree

2 files · 11.3 KB · 343 lines

Markdown 1f · 213L Python 1f · 130L

├─ 🐍 __init__.py Python 130L · 4.6 KB

└─ 📝 SKILL.md Markdown 213L · 6.6 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`xianyu_api_client_skill`	`unpinned`	external skill	No	Not verified - external dependency
`xianyu_product_manager_skill`	`unpinned`	external skill	No	Not verified - external dependency

Security Positives

✓ No shell execution (subprocess, os.system)

✓ No credential harvesting or exfiltration

✓ No base64-encoded payloads or obfuscated code

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No eval() or dynamic code execution

✓ No curl|bash or wget|sh patterns

✓ No hidden instructions in comments

✓ Uses only standard library imports (time, typing)

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives