comments-monitor-reply Security Report — Low Risk | ClawSafe

15 /100

comments-monitor-reply

全平台评论区自动监控、智能回复与舆情分析工具

Documentation-only skill describing a social media comment monitoring tool with no executable code present to analyze

Skill Namecomments-monitor-reply

Duration35.2s

Enginepi

✓

Safe to install

Request implementation code before deployment to verify declared security controls (encryption, local-only storage)

Findings 3 items

Severity	Finding	Location
Info	No executable code present This skill package contains only SKILL.md documentation. No scripts, source files, or implementation code to audit for security vulnerabilities. `Documentation-only package` → Obtain actual implementation code before security assessment	`SKILL.md:1`
Low	Security claims unverifiable SKILL.md claims AES-256-GCM encryption for credential storage and local-only data handling, but no code exists to verify these claims match implementation. `AES-256-GCM加密算法本地加密存储` → Verify encryption implementation in actual code	`SKILL.md:103`
Info	Credential handling documented Environment variables for platform credentials (CMR_XHS_COOKIE, CMR_DOUYIN_TOKEN, CMR_WECHAT_TOKEN) are documented. While handling credentials is expected for this use case, the actual exfiltration safeguards cannot be verified. `CMR_XHS_COOKIE, CMR_DOUYIN_TOKEN, CMR_WECHAT_TOKEN` → Ensure actual implementation never transmits credentials externally	`SKILL.md:89`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No code files present
Network	`READ`	`NONE`	✓ Aligned	SKILL.md declares platform API and webhook access only
Shell	`NONE`	`NONE`	—	No shell scripts or subprocess calls found
Environment	`READ`	`NONE`	✓ Aligned	SKILL.md:89-96 documents credential env vars (CMR_XHS_COOKIE, etc.)

1 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/xxxxxx

SKILL.md:79

1 files · 6.2 KB · 169 lines

Markdown 1f · 169L

└─ 📝 SKILL.md Markdown 169L · 6.2 KB

✓ Comprehensive documentation describing legitimate social media management features

✓ Claims local encrypted storage without third-party upload (cannot verify without code)

✓ No base64-encoded payloads or obfuscated code detected

✓ No suspicious external IPs or domains in actual code

✓ MIT license declared

✓ Security best practices documented (token rotation, minimal permissions)