中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 48/100
上次扫描:1 天前 重新扫描
48 /100
x-daily-report
每日自动监控全球Top AI领域X/Twitter账号动态,生成结构化日报
Skill implements X/Twitter monitoring with undeclared browser cookie access, a hardcoded API key, and undocumented Feishu API communication—all not mentioned in SKILL.md.
技能名称x-daily-report
分析耗时50.5s
引擎pi
谨慎使用
Remove hardcoded API key, declare browser:READ permission for Chrome cookie access, and document the Feishu integration in SKILL.md. Pin dependency versions.

安全发现 5 项

严重性 安全发现 位置
高危
Hardcoded API Key in Source Code 凭证窃取
A plaintext X API key is embedded in scripts/x-monitor.js at line 11. While the value appears to be a placeholder/test string, hardcoding credentials in source code is a serious anti-pattern that risks exposure through version control.
const X_API_KEY = 'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ';
→ Remove hardcoded credentials. Use environment variables (process.env.X_API_KEY) and document required env vars in SKILL.md.
 scripts/x-monitor.js:11
高危
Undeclared Browser Cookie Access 文档欺骗
x-scraper-free.js calls scraper.useCookiesFromBrowser('chrome') to extract live Chrome browser cookies for X authentication. This is a significant capability not declared anywhere in SKILL.md. An agent with this skill could harvest authenticated sessions for any site stored in Chrome.
await scraper.useCookiesFromBrowser('chrome');
→ Declare browser:READ permission in SKILL.md and document why Chrome cookie reuse is necessary.
 scripts/x-scraper-free.js:90
中危
Undeclared Feishu/Bitable API Communication 文档欺骗
x-monitor.js communicates with open.feishu.cn to fetch account lists from a Feishu Bitable. This external data source integration is not documented in SKILL.md, which only describes free and API modes without mentioning Feishu.
const FEISHU_API_BASE = 'https://open.feishu.cn/open-apis';
→ Document Feishu Bitable integration in SKILL.md if intentional, or remove the code if unnecessary.
 scripts/x-monitor.js:8
中危
Unpinned Dependency Versions 供应链
@the-convocation/twitter-scraper (^0.22.1) and axios (^1.6.0) are listed with caret ranges, allowing automatic minor/patch updates. This creates supply chain risk where a compromised upstream release could be silently installed.
"@the-convocation/twitter-scraper": "^0.22.1"
→ Pin exact versions (e.g., "0.22.1") to ensure reproducible and auditable builds.
 package.json:10
低危
SKILL.md Misleading Zero-Cost Claim 文档欺骗
SKILL.md prominently advertises '零成本运行' and '无需X开发者账号' but includes x-monitor.js which explicitly requires X_API_KEY. While x-scraper-free.js is the recommended path, the presence of x-monitor.js with a hardcoded key contradicts the zero-cost messaging.
✅ **零成本运行**:支持免费无API爬虫模式,无需X开发者账号
→ Clarify that an API-requiring mode exists alongside the free mode, or remove x-monitor.js if it's not a supported feature.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 x-scraper-free.js:9 — writeFile() used for local report output, documented in SK…
网络访问 NONE READ ✗ 越权 x-scraper-free.js:7 — Scraper fetches X/Twitter; x-monitor.js:8 — Feishu API cal…
浏览器 NONE READ ✗ 越权 x-scraper-free.js:90 — scraper.useCookiesFromBrowser('chrome') extracts live X s…
命令执行 NONE NONE No subprocess, exec, or shell command execution found
环境变量 NONE NONE No env iteration for secrets; FEISHU_ACCESS_TOKEN read only when used
1 高危 2 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY = 'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ'
scripts/x-monitor.js:11
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis
scripts/x-monitor.js:8

目录结构

5 文件 · 22.8 KB · 609 行
JavaScript 2f · 445L Markdown 2f · 147L JSON 1f · 17L
├─ 📁 references
│ └─ 📝 account-list.md Markdown 54L · 2.9 KB
├─ 📁 scripts
│ ├─ 📜 x-monitor.js JavaScript 235L · 8.1 KB
│ └─ 📜 x-scraper-free.js JavaScript 210L · 7.5 KB
├─ 📋 package.json JSON 17L · 510 B
└─ 📝 SKILL.md Markdown 93L · 3.8 KB

依赖分析 2 项

包名版本来源已知漏洞备注
@the-convocation/twitter-scraper ^0.22.1 npm Version not pinned — minor updates auto-installed
axios ^1.6.0 npm Version not pinned — minor updates auto-installed

安全亮点

✓ No shell command execution or subprocess usage detected
✓ No base64-encoded strings or obfuscated code found
✓ No network exfiltration or C2 communication observed
✓ No credential harvesting loops or suspicious environment variable iteration
✓ No reverse shell, eval(), or dynamic code execution
✓ File writes are scoped to report output and are documented behavior
✓ No cron, startup hooks, or persistence mechanisms found