x-daily-report Security Report — Suspicious | ClawSafe

48 /100

x-daily-report

每日自动监控全球Top AI领域X/Twitter账号动态，生成结构化日报

Skill implements X/Twitter monitoring with undeclared browser cookie access, a hardcoded API key, and undocumented Feishu API communication—all not mentioned in SKILL.md.

Skill Namex-daily-report

Duration50.5s

Enginepi

⚠

Use with caution

Remove hardcoded API key, declare browser:READ permission for Chrome cookie access, and document the Feishu integration in SKILL.md. Pin dependency versions.

Findings 5 items

Severity	Finding	Location
High	Hardcoded API Key in Source Code Credential Theft A plaintext X API key is embedded in scripts/x-monitor.js at line 11. While the value appears to be a placeholder/test string, hardcoding credentials in source code is a serious anti-pattern that risks exposure through version control. `const X_API_KEY = 'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ';` → Remove hardcoded credentials. Use environment variables (process.env.X_API_KEY) and document required env vars in SKILL.md.	`scripts/x-monitor.js:11`
High	Undeclared Browser Cookie Access Doc Mismatch x-scraper-free.js calls scraper.useCookiesFromBrowser('chrome') to extract live Chrome browser cookies for X authentication. This is a significant capability not declared anywhere in SKILL.md. An agent with this skill could harvest authenticated sessions for any site stored in Chrome. `await scraper.useCookiesFromBrowser('chrome');` → Declare browser:READ permission in SKILL.md and document why Chrome cookie reuse is necessary.	`scripts/x-scraper-free.js:90`
Medium	Undeclared Feishu/Bitable API Communication Doc Mismatch x-monitor.js communicates with open.feishu.cn to fetch account lists from a Feishu Bitable. This external data source integration is not documented in SKILL.md, which only describes free and API modes without mentioning Feishu. `const FEISHU_API_BASE = 'https://open.feishu.cn/open-apis';` → Document Feishu Bitable integration in SKILL.md if intentional, or remove the code if unnecessary.	`scripts/x-monitor.js:8`
Medium	Unpinned Dependency Versions Supply Chain @the-convocation/twitter-scraper (^0.22.1) and axios (^1.6.0) are listed with caret ranges, allowing automatic minor/patch updates. This creates supply chain risk where a compromised upstream release could be silently installed. `"@the-convocation/twitter-scraper": "^0.22.1"` → Pin exact versions (e.g., "0.22.1") to ensure reproducible and auditable builds.	`package.json:10`
Low	SKILL.md Misleading Zero-Cost Claim Doc Mismatch SKILL.md prominently advertises '零成本运行' and '无需X开发者账号' but includes x-monitor.js which explicitly requires X_API_KEY. While x-scraper-free.js is the recommended path, the presence of x-monitor.js with a hardcoded key contradicts the zero-cost messaging. `✅ 零成本运行：支持免费无API爬虫模式，无需X开发者账号` → Clarify that an API-requiring mode exists alongside the free mode, or remove x-monitor.js if it's not a supported feature.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	x-scraper-free.js:9 — writeFile() used for local report output, documented in SK…
Network	`NONE`	`READ`	✗ Violation	x-scraper-free.js:7 — Scraper fetches X/Twitter; x-monitor.js:8 — Feishu API cal…
Browser	`NONE`	`READ`	✗ Violation	x-scraper-free.js:90 — scraper.useCookiesFromBrowser('chrome') extracts live X s…
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command execution found
Environment	`NONE`	`NONE`	—	No env iteration for secrets; FEISHU_ACCESS_TOKEN read only when used

1 High 2 findings

🔑

High API Key 疑似硬编码凭证

API_KEY = 'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ'

scripts/x-monitor.js:11

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis

scripts/x-monitor.js:8

File Tree

5 files · 22.8 KB · 609 lines

JavaScript 2f · 445L Markdown 2f · 147L JSON 1f · 17L

├─ ▾ 📁 references

│ └─ 📝 account-list.md Markdown 54L · 2.9 KB

├─ ▾ 📁 scripts

│ ├─ 📜 x-monitor.js JavaScript 235L · 8.1 KB

│ └─ 📜 x-scraper-free.js JavaScript 210L · 7.5 KB

├─ 📋 package.json JSON 17L · 510 B

└─ 📝 SKILL.md Markdown 93L · 3.8 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@the-convocation/twitter-scraper`	`^0.22.1`	npm	No	Version not pinned — minor updates auto-installed
`axios`	`^1.6.0`	npm	No	Version not pinned — minor updates auto-installed

Security Positives

✓ No shell command execution or subprocess usage detected

✓ No base64-encoded strings or obfuscated code found

✓ No network exfiltration or C2 communication observed

✓ No credential harvesting loops or suspicious environment variable iteration

✓ No reverse shell, eval(), or dynamic code execution

✓ File writes are scoped to report output and are documented behavior

✓ No cron, startup hooks, or persistence mechanisms found

Scan Report

Findings 5 items

File Tree

Dependencies 2 items

Security Positives