tuniu-cli 安全扫描报告 — 低风险 | ClawSafe

25 /100

tuniu-cli

途牛旅行统一助手 — 通过 tuniu CLI 统一调用机票、酒店、门票、火车票、邮轮、度假产品等旅行服务

Single-file travel booking wrapper skill with no scripts; all capabilities are declared and consistent with its purpose, but the trustworthiness hinges entirely on the uninspectable tuniu-cli npm package.

技能名称tuniu-cli

分析耗时35.6s

引擎pi

✓

可以安装

Before production use, verify the tuniu-cli npm package integrity (hash, publisher identity, recent audit) and consider pinning it to an exact version. Since all code executes inside the tuniu-cli binary rather than within the skill itself, review the CLI's provenance carefully.

安全发现 3 项

严重性	安全发现	位置
中危	No inspectable source code The skill consists of only SKILL.md. All business logic, API calls, credential handling, and data exfiltration happen inside the tuniu-cli npm binary, which cannot be audited here. This creates a significant blind spot. `name: tuniu-cli, description: 途牛旅行统一助手...` → Verify the tuniu-cli npm package: check publisher identity, download count, recent activity, and ideally pin to a specific version. Consider hosting a pinned copy internally.	`SKILL.md:1`
中危	PII transmitted to external service Passport numbers, ID numbers, names, and phone numbers are sent to openapi.tuniu.cn via the CLI. While declared in SKILL.md, the CLI implementation cannot be audited for secondary exfiltration. `预订功能会将用户提供的个人信息（联系人姓名、手机号、乘客姓名、证件号等）通过 tuniu CLI 发送至途牛远端服务` → Ensure the tuniu-cli package is from the legitimate Tuniu publisher. Consider adding a disclaimer that PII leaves the local environment.	`SKILL.md:1`
低危	npm install without version pinning in user docs The skill documentation suggests 'npm install -g tuniu-cli@latest', which pulls the latest version at install time rather than a verified pinned version. `npm install -g tuniu-cli@latest` → Pin to a specific version hash: npm install -g [email protected] --sha512=<hash>	`SKILL.md:19`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: '本 skill 通过 shell exec 执行 tuniu CLI 命令'
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: all tuniu call targets resolve to https://openapi.tuniu.cn/* endpoints
环境变量	`READ`	`READ`	✓ 一致	SKILL.md metadata: TUNIU_API_KEY env var required
文件系统	`NONE`	`NONE`	—	No file read/write operations described in SKILL.md
剪贴板	`NONE`	`NONE`	—	No clipboard access described
浏览器	`NONE`	`NONE`	—	No browser interaction described

4 项发现

🔗

中危外部 URL 外部 URL

https://open.tuniu.com/mcp

SKILL.md:32

🔗

中危外部 URL 外部 URL

https://openapi.tuniu.cn/tour/mcp/discovery

SKILL.md:169

🔗

中危外部 URL 外部 URL

https://openapi.tuniu.cn/mcp/hotel

SKILL.md:182

🔗

中危外部 URL 外部 URL

https://openapi.tuniu.cn/mcp/ticket

SKILL.md:183

目录结构

1 文件 · 21.9 KB · 580 行

Markdown 1f · 580L

└─ 📝 SKILL.md Markdown 580L · 21.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`tuniu-cli`	`latest`	npm	否	Version unpinned; source is a third-party npm package with no code in this repo — trustworthiness cannot be verified without npm audit.

安全亮点

✓ No shell scripts or Python/JS code in the skill repository — attack surface is limited to the declared tuniu CLI invocation pattern.

✓ All capabilities (shell:WRITE, network:READ, environment:READ) are clearly declared and match actual usage.

✓ No sensitive path access (~/.ssh, ~/.aws, .env files) observed.

✓ No base64, eval, curl|bash, or direct IP network requests found in the skill definition.

✓ PII handling is documented and the external data flow is described transparently.

✓ Error handling with exit codes is well-documented, suggesting a mature CLI wrapper.