TrendScope Security Report — Low Risk | ClawSafe

20 /100

TrendScope

舆情趋势洞察技能 - Public opinion trend analysis and reporting tool

This is a legitimate public opinion analysis tool that connects to the Feedax API service. The main security concern is a hardcoded IP address with non-HTTPS connection, which is suspicious but explained by internal API infrastructure.

Skill NameTrendScope

Duration30.8s

Enginepi

✓

Safe to install

Replace the hardcoded IP address with a domain name and ensure HTTPS is used for all API communications. Pin dependency versions in requirements.txt.

Findings 3 items

Severity	Finding	Location
Medium	Hardcoded IP Address in API Connection The script connects to a hardcoded IP address 221.6.15.90 instead of using a domain name. This is atypical for legitimate services and makes traffic inspection/detection harder. `API_BASE_URL = "http://221.6.15.90:18011"` → Use the domain name from the documentation (e.g., api.feedax.cn) instead of the raw IP address.	`scripts/report_cli.py:31`
Low	Insecure HTTP Protocol The API connection uses plain HTTP instead of HTTPS, which could expose API keys and data in transit. `API_BASE_URL = "http://221.6.15.90:18011"` → Use HTTPS for all API communications to protect sensitive data.	`scripts/report_cli.py:31`
Low	Unpinned Dependencies The skill uses requests and python-dotenv libraries but no requirements.txt is present to pin versions. `import requests from dotenv import load_dotenv` → Create a requirements.txt file to pin specific versions of dependencies.	`scripts/report_cli.py:9`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	skill.md declares file output; code writes to ~/Desktop/舆情分析报告/
Network	`READ`	`READ`	✓ Aligned	skill.md declares API calls; code makes HTTP POST to Feedax API
Shell	`NONE`	`READ`	✓ Aligned	skill.md does not declare shell usage, but script is executed via 'python3 scrip…

1 High 25 findings

📡

High IP Address 硬编码 IP 地址

221.6.15.90

scripts/report_cli.py:31

🔗

Medium External URL 外部 URL

https://gitee.com/feedax/trend-scope.git

README.md:28

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616212349669707051

assets/report_template.html:128

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616302367981542827?app=aweme_hotsoon

assets/report_template.html:137

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616302367981542827

assets/report_template.html:150

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616252003953726331

assets/report_template.html:163

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615977402434470065

assets/report_template.html:172

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615977402434470065?app=aweme_hotsoon

assets/report_template.html:181

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/note/7616237602023131003

assets/report_template.html:190

🔗

Medium External URL 外部 URL

https://channels.weixin.qq.com/web/pages/feed?oid=zm3U7fZbCIc=

assets/report_template.html:199

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615885724918963706

assets/report_template.html:208

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616293025266599354

assets/report_template.html:217

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616293025266599354?app=aweme_hotsoon

assets/report_template.html:226

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615762266093762150

assets/report_template.html:235

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615762266093762150?app=aweme_hotsoon

assets/report_template.html:244

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615878342323896955

assets/report_template.html:253

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616218991946856421?app=aweme_hotsoon

assets/report_template.html:262

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7616218991946856421

assets/report_template.html:271

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615898405571933166

assets/report_template.html:280

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615898405571933166?app=aweme_hotsoon

assets/report_template.html:289

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615831326072333925

assets/report_template.html:298

🔗

Medium External URL 外部 URL

https://www.iesdouyin.com/share/video/7615833208143252081?app=aweme_hotsoon

assets/report_template.html:307

🔗

Medium External URL 外部 URL

http://221.6.15.90:18011

scripts/report_cli.py:31

🔗

Medium External URL 外部 URL

https://www.feedax.cn

scripts/report_cli.py:352

🔗

Medium External URL 外部 URL

https://www.feedax.cn免费申请，完成后请告诉我API

skill.md:31

File Tree

4 files · 86.9 KB · 2001 lines

Python 1f · 1023L Markdown 2f · 630L HTML 1f · 348L

├─ ▾ 📁 assets

│ └─ 📄 report_template.html HTML 348L · 23.5 KB

├─ ▾ 📁 scripts

│ └─ 🐍 report_cli.py Python 1023L · 38.5 KB

├─ 📝 README.md Markdown 63L · 1.7 KB

└─ 📝 skill.md Markdown 567L · 23.2 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned
`python-dotenv`	`*`	pip	No	Version not pinned

Security Positives

✓ No credential harvesting or exfiltration detected

✓ No reverse shell or C2 communication patterns

✓ No base64 encoded payloads or obfuscated code

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ API key is used only for intended API calls

✓ File operations are limited to report generation in designated directories

✓ No hidden functionality discovered - implementation matches documentation

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives