xhs-crawler 安全扫描报告 — 可疑 | ClawSafe

40 /100

xhs-crawler

小红书关键词爬取 Skill — 浏览器模拟搜索 + 飞书推送

Hardcoded Feishu App Secret exposed in both source code and SKILL.md documentation, plus unpinned Python dependencies with no network isolation, constitute undeclared sensitive credential exposure and dependency supply chain risk.

技能名称xhs-crawler

分析耗时64.6s

引擎pi

⚠

谨慎使用

Move Feishu App ID/Secret to environment variables or a .env file, pin all dependency versions (playwright, requests), and remove credentials from SKILL.md before deployment.

安全发现 5 项

严重性	安全发现	位置
高危	Feishu App Secret hardcoded and documented FEISHU_APP_ID='cli_a924d921ce7a9cbd' and FEISHU_APP_SECRET='5QG92Lp8kvhAkgpPJTd57fIxshnCebEt' are hardcoded in config.py lines 89-90. SKILL.md lines 64-67 reproduce the exact same credentials in a documentation example block, meaning anyone with repo access or who receives this skill sees the live credentials. This creates a credential-leak blast radius: the Feishu bot can send messages to any group the bot has been added to. `FEISHU_APP_ID = "cli_a924d921ce7a9cbd" FEISHU_APP_SECRET = "5QG92Lp8kvhAkgpPJTd57fIxshnCebEt"` → Move credentials to environment variables (os.environ.get('FEISHU_APP_ID')) or a .env file added to .gitignore, and remove the credential block from SKILL.md example	`config.py:89`
高危	No dependency pinning — supply chain risk package.json has empty dependencies {}; no requirements.txt exists. SKILL.md instructs 'pip install playwright requests' without version pins. This allows dependency confusion attacks or a malicious future release of a transitive dependency to be silently installed. `"dependencies": {}` → Add requirements.txt with pinned versions (e.g., playwright==1.40.0 requests==2.31.0) and update package.json dependencies	`package.json:9`
中危	Node.js exec() with arbitrary command injection surface index.js:runPythonScript builds a shell command string with user-supplied keyword passed directly into exec(). While the keyword is URI-component free in the current code flow, a future change could introduce injection. The command also uses a 2-minute timeout and 10MB buffer which are appropriate. const cmd = `"${this.pythonEnv}" "${this.pythonScript}" "${command}"`; → Use spawn() with explicit argument array instead of shell string interpolation, or validate the keyword as alphanumeric-only Chinese string	`index.js:122`
中危	Chrome profile directory stored in user home XHS_USER_DATA_DIR defaults to Path.home() / 'xhs_chrome_profile', meaning the skill stores browser session data under the user's home directory. This is necessary for cookie persistence but expands the blast radius if the profile is compromised. `XHS_USER_DATA_DIR = Path.home() / "xhs_chrome_profile"` → Document this clearly and consider using a scoped subdirectory within the skill folder instead of ~/	`config.py:18`
低危	Pre-scan false positive: IP address misidentified The pre-scan flagged '143.0.0.0' at config.py:50 as a hardcoded IP. This is actually the Chromium browser version number (143.0.0.0) embedded in the User-Agent string, not a network IP address. No malicious IP C2 indicator. `"user-agent": "...Chrome/143.0.0.0..."` → No action needed; this is a version number, not an IP	`config.py:46`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	cookie_manager.py writes cookie.txt; logs/xhs_crawler.log created; all within sk…
网络访问	`READ`	`READ`	✓ 一致	requests to xiaohongshu.com (search API + browser), open.feishu.cn (Feishu OpenA…
命令执行	`WRITE`	`WRITE`	✓ 一致	index.js uses child_process.exec() to run python script; python itself uses play…
环境变量	`NONE`	`READ`	✓ 一致	config.py reads no env vars; but feishu_app_bot.py sends App ID/Secret in POST b…

1 高危 14 项发现

📡

高危 IP 地址硬编码 IP 地址

143.0.0.0

config.py:50

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore

auto_login_with_qrcode.py:96

🔗

中危外部 URL 外部 URL

https://edith.xiaohongshu.com/api/sns/web/v1/search/notes

config.py:30

🔗

中危外部 URL 外部 URL

https://edith.xiaohongshu.com/api/sns/web/v1/feed

config.py:31

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com

config.py:40

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/

config.py:43

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/user/profile

cookie_manager.py:82

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

feishu_app_bot.py:67

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages

feishu_app_bot.py:109

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/images

feishu_app_bot.py:222

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/chats

feishu_app_bot.py:368

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/

xhs_crawler.py:181

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/search_result?keyword=

xhs_search_with_browser.py:86

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/

使用文档.md:67

目录结构

15 文件 · 94.0 KB · 3138 行

Python 10f · 2525L Markdown 2f · 420L JavaScript 1f · 175L JSON 1f · 17L Text 1f · 1L

├─ 🐍 __init__.py Python 26L · 590 B

├─ 🐍 auto_login_with_qrcode.py Python 319L · 10.2 KB

├─ 🐍 config.py Python 98L · 2.9 KB

├─ 🐍 cookie_manager.py Python 327L · 10.1 KB

├─ 📄 cookie.txt Text 1L · 880 B

├─ 🐍 example_openclaw_skill.py Python 218L · 6.3 KB

├─ 🐍 feishu_app_bot.py Python 444L · 13.2 KB

├─ 🐍 feishu_bot.py Python 300L · 8.1 KB

├─ 📜 index.js JavaScript 175L · 5.6 KB

├─ 🐍 login.py Python 125L · 3.9 KB

├─ 📋 package.json JSON 17L · 412 B

├─ 📝 SKILL.md Markdown 179L · 4.5 KB

├─ 🐍 xhs_crawler.py Python 413L · 12.5 KB

├─ 🐍 xhs_search_with_browser.py Python 255L · 8.9 KB

└─ 📝 使用文档.md Markdown 241L · 6.2 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`playwright`	`*`	pip	否	No version pinned — SKILL.md says 'pip install playwright' without version
`requests`	`*`	pip	否	No version pinned — SKILL.md says 'pip install requests' without version
`node`	`*`	system	否	No Node.js package.json dependencies declared

安全亮点

✓ All capabilities declared in SKILL.md align with actual implementation — no hidden functionality detected

✓ No base64-encoded payloads, no eval(), no obfuscated JavaScript

✓ No credential harvesting beyond the Feishu app credentials (which are for the bot's own API, not user data theft)

✓ No curl|bash or wget|sh remote script downloads

✓ No access to ~/.ssh, ~/.aws, or other sensitive host credential paths

✓ No reverse shell, no C2 callbacks, no data exfiltration to unknown third-party servers

✓ Playwright import is safely guarded with try/except and PLAYWRIGHT_AVAILABLE flag

✓ Browser automation uses isolated user_data_dir per session for login flow