xhs-monitor Security Report — Low Risk | ClawSafe

15 /100

xhs-monitor

小红书竞品监控 - 自动采集竞品笔记，推送飞书通知，写入数据看板

Legitimate Xiaohongshu competitor monitoring tool with no malicious behavior detected. All functionality is consistent with documented behavior.

Skill Namexhs-monitor

Duration39.3s

Enginepi

✓

Safe to install

Approve for use. Monitor for dependency updates and ensure config.js is not shared publicly.

Findings 1 items

Severity	Finding	Location
Low	Dependencies not pinned to specific versions Supply Chain SKILL.md specifies puppeteer-core installation without version constraints, which could allow malicious updates in the future. `{"id":"puppeteer","kind":"npm","module":"puppeteer-core"}` → Pin to specific version: [email protected]	`SKILL.md:23`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	dedupe.js:31 writes history.csv, main.js:5 reads config
Network	`READ`	`READ`	✓ Aligned	scraper.js:175 navigates to xiaohongshu.com, notify.js pushes to feishu webhook
Shell	`WRITE`	`WRITE`	✓ Aligned	scheduler.js:30 uses child_process.spawn for cron execution
Browser	`WRITE`	`WRITE`	✓ Aligned	scraper.js:175 uses puppeteer-core for web scraping

5 findings

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/user/profile/用户ID1

SKILL.md:83

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/user/profile/用户ID2

SKILL.md:84

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/

SKILL.md:98

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/user/profile/小红书用户ID

config.example.js:20

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/user/profile/

config.js:12

File Tree

12 files · 32.5 KB · 1194 lines

JavaScript 10f · 966L Markdown 1f · 183L Shell 1f · 45L

├─ 📜 config.example.js JavaScript 26L · 745 B

├─ 📜 config.js JavaScript 27L · 860 B

├─ 📜 daemon.js JavaScript 70L · 1.9 KB

├─ 📜 dedupe.js JavaScript 60L · 1.4 KB

├─ 📜 interactive.js JavaScript 181L · 5.1 KB

├─ 📜 main.js JavaScript 20L · 663 B

├─ 📜 notify.example.js JavaScript 75L · 2.6 KB

├─ 📜 parser.js JavaScript 115L · 3.3 KB

├─ 🔧 run.sh Shell 45L · 1.4 KB

├─ 📜 scheduler.js JavaScript 45L · 931 B

├─ 📜 scraper.js JavaScript 347L · 9.6 KB

└─ 📝 SKILL.md Markdown 183L · 4.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`puppeteer-core`	`unspecified`	npm	No	Version not pinned in SKILL.md install declaration

Security Positives

✓ Uses puppeteer-core instead of full puppeteer (reduces attack surface)

✓ No credential harvesting or environment variable theft

✓ No data exfiltration to unknown external endpoints

✓ No obfuscated code, base64, or eval usage

✓ No reverse shell or C2 communication

✓ All network requests target documented endpoints (xiaohongshu.com, feishu webhook)

✓ User data directories are session-scoped with timestamps

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives