xianyu-automation 安全扫描报告 — 低风险 | ClawSafe

20 /100

xianyu-automation

Enterprise-grade automated operations for Xianyu stores with full lifecycle management and intelligent decision engine

A legitimate Xianyu store automation skill with placeholder code that delegates functionality to external dependencies; no direct malicious behavior observed.

技能名称xianyu-automation

分析耗时41.2s

引擎pi

✓

可以安装

Review the external skill dependencies (xianyu-api-client-skill, xianyu-product-manager-skill) for security before deployment, as this skill imports and relies on them.

安全发现 3 项

严重性	安全发现	位置
低危	External skill dependency without version pinning The skill imports xianyu_api_client_skill and xianyu_product_manager_skill but does not pin versions or verify source integrity, introducing supply chain risk. `from xianyu_api_client_skill import XianYuAPIClient` → Pin dependency versions and verify package integrity before production use	`__init__.py:4`
低危	External URL in skill metadata SKILL.md metadata contains homepage: https://www.goofish.pro which has not been security-vetted. `homepage: https://www.goofish.pro` → Verify the legitimacy and security of external URLs before trusting them	`SKILL.md:14`
低危	Placeholder implementation The refresh_product_activity method contains TODO comments and placeholder logic rather than functional implementation. `# TODO: 这里需要实现商品更新接口` → Verify implementation completeness before deployment	`__init__.py:48`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in __init__.py
网络访问	`NONE`	`NONE`	—	Network calls delegated to external xianyu_api_client_skill
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution
环境变量	`NONE`	`NONE`	—	No direct os.environ access
技能调用	`READ`	`READ`	✓ 一致	Imports and uses external skills
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database operations

1 项发现

🔗

中危外部 URL 外部 URL

https://www.goofish.pro

SKILL.md:14

目录结构

2 文件 · 11.3 KB · 343 行

Markdown 1f · 213L Python 1f · 130L

├─ 🐍 __init__.py Python 130L · 4.6 KB

└─ 📝 SKILL.md Markdown 213L · 6.6 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`xianyu_api_client_skill`	`unpinned`	external skill	否	Not verified - external dependency
`xianyu_product_manager_skill`	`unpinned`	external skill	否	Not verified - external dependency

安全亮点

✓ No shell execution (subprocess, os.system)

✓ No credential harvesting or exfiltration

✓ No base64-encoded payloads or obfuscated code

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No eval() or dynamic code execution

✓ No curl|bash or wget|sh patterns

✓ No hidden instructions in comments

✓ Uses only standard library imports (time, typing)