中文 EN

扫描报告

扫描新文件

可信 — 风险评分 0/100
上次扫描:20 小时前 重新扫描
0 /100
xiaohongshu-creator-finder
小红书AI创作者识别 - 在小红书平台按预设规则自动搜索并识别AI原创动画创作者
A legitimate Xiaohongshu (Little Red Book) creator scraping tool that uses Playwright to browse, login via QR code, search for AI creators by keywords, scrape public profile data, and export to Excel/JSON. No malicious behavior observed.
技能名称xiaohongshu-creator-finder
分析耗时35.5s
引擎pi
可以安装
No action needed. The skill is a standard web scraper for Xiaohongshu platform data. Consider pinning dependency versions for reproducibility.

安全发现 2 项

严重性 安全发现 位置
低危
Dependencies use loose version specifiers 供应链
requirements.txt and skill.json specify '>=X.Y.Z' rather than exact pinned versions (e.g., 'playwright==1.40.0'). This allows supply chain substitution attacks if a malicious higher version is published.
playwright>=1.40.0
→ Pin exact versions: playwright==1.40.0, pandas==2.0.0, openpyxl==3.1.0
 docs/requirements.txt:1
低危
Cookies stored in plaintext JSON file 凭证窃取
Xiaohongshu authentication cookies (including id_token and web_session) are stored in plain text at config/cookies.json. While this is necessary for login persistence, the file contains sensitive session tokens.
web_session, id_token stored in plaintext
→ This is functional requirement for the scraper but poses risk if the workspace is compromised. Consider warning users to keep the workspace secure.
 config/cookies.json:1
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md declares browsing capability
文件系统 WRITE WRITE ✓ 一致 config/settings.json, output checkpoint/result files in src/xhs_creator_finder.p…
命令执行 NONE NONE No subprocess or shell calls found
环境变量 NONE NONE No os.environ access found
剪贴板 NONE NONE No clipboard access found
浏览器 READ READ ✓ 一致 Playwright chromium.launch in src/xhs_creator_finder.py:177
数据库 NONE NONE No database access found
技能调用 NONE NONE No skill invocation found
7 项发现
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/user/profile/...
docs/使用说明书.md:176
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/explore/...
docs/使用说明书.md:178
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/user/profile
src/xhs_creator_finder.py:192
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/login
src/xhs_creator_finder.py:197
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/search_result?keyword=
src/xhs_creator_finder.py:229
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com
src/xhs_creator_finder.py:249
🔗
中危 外部 URL 外部 URL
https://www.xiaohongshu.com/user/profile/
src/xhs_creator_finder.py:326

目录结构

12 文件 · 41.8 KB · 1437 行
Markdown 5f · 721L Python 2f · 458L JSON 4f · 255L Text 1f · 3L
├─ 📁 config
│ ├─ 📋 config.example.json JSON 10L · 226 B
│ ├─ 📋 cookies.json JSON 151L · 3.7 KB
│ └─ 📋 settings.json JSON 10L · 282 B
├─ 📁 docs
│ ├─ 📝 README.md Markdown 120L · 3.1 KB
│ ├─ 📄 requirements.txt Text 3L · 49 B
│ ├─ 📝 SKILL.md Markdown 110L · 2.8 KB
│ ├─ 📝 STATUS.md Markdown 63L · 1.7 KB
│ └─ 📝 使用说明书.md Markdown 318L · 7.7 KB
├─ 📁 src
│ └─ 🐍 xhs_creator_finder.py Python 436L · 17.1 KB
├─ 📋 skill.json JSON 84L · 2.0 KB
├─ 📝 SKILL.md Markdown 110L · 2.8 KB
└─ 🐍 skill.py Python 22L · 469 B

依赖分析 3 项

包名版本来源已知漏洞备注
playwright >=1.40.0 pip Version not pinned, loose specifier
pandas >=2.0.0 pip Version not pinned, loose specifier
openpyxl >=3.1.0 pip Version not pinned, loose specifier

安全亮点

✓ No shell command execution (subprocess, os.system, etc.) - only Playwright browser automation
✓ No obfuscated code, base64 payloads, or eval() calls
✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env, etc.)
✓ No data exfiltration - all network activity is to/from Xiaohongshu.com only
✓ No remote script execution (curl|bash, wget|sh)
✓ No credential harvesting beyond what is required for the Xiaohongshu login
✓ No persistence mechanisms (no cron jobs, startup hooks, or backdoors)
✓ No hidden functionality - SKILL.md accurately describes the tool's behavior
✓ Dependencies (playwright, pandas, openpyxl) have no known vulnerabilities
✓ Code is clean, readable, and well-documented with no suspicious patterns