中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
xhs-monitor
小红书竞品监控 - 自动采集竞品笔记,推送飞书通知,写入数据看板
Legitimate Xiaohongshu competitor monitoring tool with no malicious behavior detected. All functionality is consistent with documented behavior.
技能名称xhs-monitor
分析耗时39.3s
引擎pi
可以安装
Approve for use. Monitor for dependency updates and ensure config.js is not shared publicly.

安全发现 1 项

严重性 安全发现 位置
低危
Dependencies not pinned to specific versions 供应链
SKILL.md specifies puppeteer-core installation without version constraints, which could allow malicious updates in the future.
{"id":"puppeteer","kind":"npm","module":"puppeteer-core"}
→ Pin to specific version: [email protected]
 SKILL.md:23
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 dedupe.js:31 writes history.csv, main.js:5 reads config
网络访问 READ READ ✓ 一致 scraper.js:175 navigates to xiaohongshu.com, notify.js pushes to feishu webhook
命令执行 WRITE WRITE ✓ 一致 scheduler.js:30 uses child_process.spawn for cron execution
浏览器 WRITE WRITE ✓ 一致 scraper.js:175 uses puppeteer-core for web scraping
5 项发现
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/user/profile/用户ID1
SKILL.md:83
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/user/profile/用户ID2
SKILL.md:84
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/
SKILL.md:98
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/user/profile/小红书用户ID
config.example.js:20
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/user/profile/
config.js:12

目录结构

12 文件 · 32.5 KB · 1194 行
JavaScript 10f · 966L Markdown 1f · 183L Shell 1f · 45L
├─ 📜 config.example.js JavaScript 26L · 745 B
├─ 📜 config.js JavaScript 27L · 860 B
├─ 📜 daemon.js JavaScript 70L · 1.9 KB
├─ 📜 dedupe.js JavaScript 60L · 1.4 KB
├─ 📜 interactive.js JavaScript 181L · 5.1 KB
├─ 📜 main.js JavaScript 20L · 663 B
├─ 📜 notify.example.js JavaScript 75L · 2.6 KB
├─ 📜 parser.js JavaScript 115L · 3.3 KB
├─ 🔧 run.sh Shell 45L · 1.4 KB
├─ 📜 scheduler.js JavaScript 45L · 931 B
├─ 📜 scraper.js JavaScript 347L · 9.6 KB
└─ 📝 SKILL.md Markdown 183L · 4.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
puppeteer-core unspecified npm Version not pinned in SKILL.md install declaration

安全亮点

✓ Uses puppeteer-core instead of full puppeteer (reduces attack surface)
✓ No credential harvesting or environment variable theft
✓ No data exfiltration to unknown external endpoints
✓ No obfuscated code, base64, or eval usage
✓ No reverse shell or C2 communication
✓ All network requests target documented endpoints (xiaohongshu.com, feishu webhook)
✓ User data directories are session-scoped with timestamps
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)