smb-sales-boost Security Report — Trusted | ClawSafe

5 /100

smb-sales-boost

Query and manage leads from the SMB Sales Boost B2B lead database. Search newly registered businesses, filter by location/industry/keywords, export leads, manage filter presets, and use AI-powered category suggestions.

Legitimate B2B lead database API skill with no malicious behavior; well-documented security controls for shell injection, path traversal, and API key handling.

Skill Namesmb-sales-boost

Duration34.2s

Enginepi

✓

Safe to install

Approve for use. The only notable finding is a placeholder API key in README.md (clearly marked as example), which poses no real risk.

Findings 1 items

Severity	Finding	Location
Low	Hardcoded placeholder API key in documentation Doc Mismatch README.md line 49 contains API_KEY='smbk_your_key_here' which is clearly a placeholder example, not a real credential. This is benign but flagged as a potential false-positive risk indicator. `API_KEY="smbk_your_key_here"` → No action needed; the key is a documented placeholder example with no functional risk.	`README.md:49`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	smb_api.py uses requests.get/post/patch/put/delete to smbsalesboost.com only
Environment	`READ`	`READ`	✓ Aligned	SKILL.md declares SMB_SALES_BOOST_API_KEY in openclaw metadata; smb_api.py reads…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Files written only for export; smb_api.py:save_export_files() uses os.path.basen…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell command execution; uses Python requests libra…

1 High 14 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="smbk_your_key_here"

README.md:49

🔗

Medium External URL 外部 URL

https://smbsalesboost.com/api/v1

README.md:23

🔗

Medium External URL 外部 URL

https://smbsalesboost.com/mcp

openapi.json:6

🔗

Medium External URL 外部 URL

https://smbsalesboost.com/docs/api/mcp-server

openapi.json:6

🔗

Medium External URL 外部 URL

https://smbsalesboost.com/support

openapi.json:10

🔗

Medium External URL 外部 URL

https://smbsalesboost.com/terms-of-service

openapi.json:12

🔗

Medium External URL 外部 URL

https://acme.com

openapi.json:207

🔗

Medium External URL 外部 URL

https://acmebusinesssolutions.com

openapi.json:1158

📧

Info Email 邮箱地址

[email protected]

README.md:169

📧

Info Email 邮箱地址

[email protected]

README.md:170

📧

Info Email 邮箱地址

[email protected]

SKILL.md:482

📧

Info Email 邮箱地址

[email protected]

SKILL.md:482

📧

Info Email 邮箱地址

[email protected]

SKILL.md:482

📧

Info Email 邮箱地址

[email protected]

openapi.json:9

File Tree

4 files · 176.3 KB · 3220 lines

JSON 1f · 2225L Markdown 2f · 811L Python 1f · 184L

├─ 📋 openapi.json JSON 2225L · 117.4 KB

├─ 📝 README.md Markdown 270L · 14.9 KB

├─ 📝 SKILL.md Markdown 541L · 35.4 KB

└─ 🐍 smb_api.py Python 184L · 8.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	requests library used for HTTP; version not pinned but no known remote code execution vulns in requests

Security Positives

✓ Uses Python requests library exclusively — no shell commands constructed from user input, eliminating shell injection vector

✓ Path traversal protection enforced via os.path.basename() + extension allowlist (.csv/.json/.xlsx only)

✓ API key sent only in Authorization header — never logged, written to files, or included in error output

✓ All network traffic limited to the legitimate smbsalesboost.com domain (HTTPS)

✓ Purchase/programmatic endpoints require explicit user confirmation (documented in SKILL.md)

✓ No subprocess, os.system, base64 decoding, eval, or other code execution primitives

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation, encoded payloads, or anti-analysis techniques

✓ No hidden functionality — code and documentation are consistent

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives