smb-sales-boost 安全扫描报告 — 可信 | ClawSafe

5 /100

smb-sales-boost

Query and manage leads from the SMB Sales Boost B2B lead database. Search newly registered businesses, filter by location/industry/keywords, export leads, manage filter presets, and use AI-powered category suggestions.

Legitimate B2B lead database API skill with no malicious behavior; well-documented security controls for shell injection, path traversal, and API key handling.

技能名称smb-sales-boost

分析耗时34.2s

引擎pi

✓

可以安装

Approve for use. The only notable finding is a placeholder API key in README.md (clearly marked as example), which poses no real risk.

安全发现 1 项

严重性	安全发现	位置
低危	Hardcoded placeholder API key in documentation 文档欺骗 README.md line 49 contains API_KEY='smbk_your_key_here' which is clearly a placeholder example, not a real credential. This is benign but flagged as a potential false-positive risk indicator. `API_KEY="smbk_your_key_here"` → No action needed; the key is a documented placeholder example with no functional risk.	`README.md:49`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	smb_api.py uses requests.get/post/patch/put/delete to smbsalesboost.com only
环境变量	`READ`	`READ`	✓ 一致	SKILL.md declares SMB_SALES_BOOST_API_KEY in openclaw metadata; smb_api.py reads…
文件系统	`WRITE`	`WRITE`	✓ 一致	Files written only for export; smb_api.py:save_export_files() uses os.path.basen…
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell command execution; uses Python requests libra…

1 高危 14 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="smbk_your_key_here"

README.md:49

🔗

中危外部 URL 外部 URL

https://smbsalesboost.com/api/v1

README.md:23

🔗

中危外部 URL 外部 URL

https://smbsalesboost.com/mcp

openapi.json:6

🔗

中危外部 URL 外部 URL

https://smbsalesboost.com/docs/api/mcp-server

openapi.json:6

🔗

中危外部 URL 外部 URL

https://smbsalesboost.com/support

openapi.json:10

🔗

中危外部 URL 外部 URL

https://smbsalesboost.com/terms-of-service

openapi.json:12

🔗

中危外部 URL 外部 URL

https://acme.com

openapi.json:207

🔗

中危外部 URL 外部 URL

https://acmebusinesssolutions.com

openapi.json:1158

📧

提示邮箱邮箱地址

[email protected]

README.md:169

📧

提示邮箱邮箱地址

[email protected]

README.md:170

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:482

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:482

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:482

📧

提示邮箱邮箱地址

[email protected]

openapi.json:9

目录结构

4 文件 · 176.3 KB · 3220 行

JSON 1f · 2225L Markdown 2f · 811L Python 1f · 184L

├─ 📋 openapi.json JSON 2225L · 117.4 KB

├─ 📝 README.md Markdown 270L · 14.9 KB

├─ 📝 SKILL.md Markdown 541L · 35.4 KB

└─ 🐍 smb_api.py Python 184L · 8.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	requests library used for HTTP; version not pinned but no known remote code execution vulns in requests

安全亮点

✓ Uses Python requests library exclusively — no shell commands constructed from user input, eliminating shell injection vector

✓ Path traversal protection enforced via os.path.basename() + extension allowlist (.csv/.json/.xlsx only)

✓ API key sent only in Authorization header — never logged, written to files, or included in error output

✓ All network traffic limited to the legitimate smbsalesboost.com domain (HTTPS)

✓ Purchase/programmatic endpoints require explicit user confirmation (documented in SKILL.md)

✓ No subprocess, os.system, base64 decoding, eval, or other code execution primitives

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation, encoded payloads, or anti-analysis techniques

✓ No hidden functionality — code and documentation are consistent