TrendScope 安全扫描报告 — 低风险 | ClawSafe

20 /100

TrendScope

舆情趋势洞察技能 - Public opinion trend analysis and reporting tool

This is a legitimate public opinion analysis tool that connects to the Feedax API service. The main security concern is a hardcoded IP address with non-HTTPS connection, which is suspicious but explained by internal API infrastructure.

技能名称TrendScope

分析耗时30.8s

引擎pi

✓

可以安装

Replace the hardcoded IP address with a domain name and ensure HTTPS is used for all API communications. Pin dependency versions in requirements.txt.

安全发现 3 项

严重性	安全发现	位置
中危	Hardcoded IP Address in API Connection The script connects to a hardcoded IP address 221.6.15.90 instead of using a domain name. This is atypical for legitimate services and makes traffic inspection/detection harder. `API_BASE_URL = "http://221.6.15.90:18011"` → Use the domain name from the documentation (e.g., api.feedax.cn) instead of the raw IP address.	`scripts/report_cli.py:31`
低危	Insecure HTTP Protocol The API connection uses plain HTTP instead of HTTPS, which could expose API keys and data in transit. `API_BASE_URL = "http://221.6.15.90:18011"` → Use HTTPS for all API communications to protect sensitive data.	`scripts/report_cli.py:31`
低危	Unpinned Dependencies The skill uses requests and python-dotenv libraries but no requirements.txt is present to pin versions. `import requests from dotenv import load_dotenv` → Create a requirements.txt file to pin specific versions of dependencies.	`scripts/report_cli.py:9`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	skill.md declares file output; code writes to ~/Desktop/舆情分析报告/
网络访问	`READ`	`READ`	✓ 一致	skill.md declares API calls; code makes HTTP POST to Feedax API
命令执行	`NONE`	`READ`	✓ 一致	skill.md does not declare shell usage, but script is executed via 'python3 scrip…

1 高危 25 项发现

📡

高危 IP 地址硬编码 IP 地址

221.6.15.90

scripts/report_cli.py:31

🔗

中危外部 URL 外部 URL

https://gitee.com/feedax/trend-scope.git

README.md:28

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616212349669707051

assets/report_template.html:128

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616302367981542827?app=aweme_hotsoon

assets/report_template.html:137

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616302367981542827

assets/report_template.html:150

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616252003953726331

assets/report_template.html:163

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615977402434470065

assets/report_template.html:172

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615977402434470065?app=aweme_hotsoon

assets/report_template.html:181

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/note/7616237602023131003

assets/report_template.html:190

🔗

中危外部 URL 外部 URL

https://channels.weixin.qq.com/web/pages/feed?oid=zm3U7fZbCIc=

assets/report_template.html:199

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615885724918963706

assets/report_template.html:208

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616293025266599354

assets/report_template.html:217

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616293025266599354?app=aweme_hotsoon

assets/report_template.html:226

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615762266093762150

assets/report_template.html:235

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615762266093762150?app=aweme_hotsoon

assets/report_template.html:244

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615878342323896955

assets/report_template.html:253

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616218991946856421?app=aweme_hotsoon

assets/report_template.html:262

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7616218991946856421

assets/report_template.html:271

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615898405571933166

assets/report_template.html:280

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615898405571933166?app=aweme_hotsoon

assets/report_template.html:289

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615831326072333925

assets/report_template.html:298

🔗

中危外部 URL 外部 URL

https://www.iesdouyin.com/share/video/7615833208143252081?app=aweme_hotsoon

assets/report_template.html:307

🔗

中危外部 URL 外部 URL

http://221.6.15.90:18011

scripts/report_cli.py:31

🔗

中危外部 URL 外部 URL

https://www.feedax.cn

scripts/report_cli.py:352

🔗

中危外部 URL 外部 URL

https://www.feedax.cn免费申请，完成后请告诉我API

skill.md:31

目录结构

4 文件 · 86.9 KB · 2001 行

Python 1f · 1023L Markdown 2f · 630L HTML 1f · 348L

├─ ▾ 📁 assets

│ └─ 📄 report_template.html HTML 348L · 23.5 KB

├─ ▾ 📁 scripts

│ └─ 🐍 report_cli.py Python 1023L · 38.5 KB

├─ 📝 README.md Markdown 63L · 1.7 KB

└─ 📝 skill.md Markdown 567L · 23.2 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned
`python-dotenv`	`*`	pip	否	Version not pinned

安全亮点

✓ No credential harvesting or exfiltration detected

✓ No reverse shell or C2 communication patterns

✓ No base64 encoded payloads or obfuscated code

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ API key is used only for intended API calls

✓ File operations are limited to report generation in designated directories

✓ No hidden functionality discovered - implementation matches documentation