comments-monitor-reply 安全扫描报告 — 低风险 | ClawSafe

15 /100

comments-monitor-reply

全平台评论区自动监控、智能回复与舆情分析工具

Documentation-only skill describing a social media comment monitoring tool with no executable code present to analyze

技能名称comments-monitor-reply

分析耗时35.2s

引擎pi

✓

可以安装

Request implementation code before deployment to verify declared security controls (encryption, local-only storage)

安全发现 3 项

严重性	安全发现	位置
提示	No executable code present This skill package contains only SKILL.md documentation. No scripts, source files, or implementation code to audit for security vulnerabilities. `Documentation-only package` → Obtain actual implementation code before security assessment	`SKILL.md:1`
低危	Security claims unverifiable SKILL.md claims AES-256-GCM encryption for credential storage and local-only data handling, but no code exists to verify these claims match implementation. `AES-256-GCM加密算法本地加密存储` → Verify encryption implementation in actual code	`SKILL.md:103`
提示	Credential handling documented Environment variables for platform credentials (CMR_XHS_COOKIE, CMR_DOUYIN_TOKEN, CMR_WECHAT_TOKEN) are documented. While handling credentials is expected for this use case, the actual exfiltration safeguards cannot be verified. `CMR_XHS_COOKIE, CMR_DOUYIN_TOKEN, CMR_WECHAT_TOKEN` → Ensure actual implementation never transmits credentials externally	`SKILL.md:89`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No code files present
网络访问	`READ`	`NONE`	✓ 一致	SKILL.md declares platform API and webhook access only
命令执行	`NONE`	`NONE`	—	No shell scripts or subprocess calls found
环境变量	`READ`	`NONE`	✓ 一致	SKILL.md:89-96 documents credential env vars (CMR_XHS_COOKIE, etc.)

1 项发现

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/xxxxxx

SKILL.md:79

1 文件 · 6.2 KB · 169 行

Markdown 1f · 169L

└─ 📝 SKILL.md Markdown 169L · 6.2 KB

✓ Comprehensive documentation describing legitimate social media management features

✓ Claims local encrypted storage without third-party upload (cannot verify without code)

✓ No base64-encoded payloads or obfuscated code detected

✓ No suspicious external IPs or domains in actual code

✓ MIT license declared

✓ Security best practices documented (token rotation, minimal permissions)