Name: amazon-search Security Report — Low Risk | ClawSafe
Item: amazon-search
Rating: 80
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

20 /100

amazon-search

Search Amazon product listings for a keyword and return structured JSON results

合法的 Amazon 搜索工具，所有能力与声明一致，无恶意行为发现

Skill Nameamazon-search

Duration55.5s

Enginepi

ClawHub Amazon Search v0.1.1 by mikehankk

📥 12

ClawHub Verdict Suspicious dangerous_execenv_credential_accessvt_suspicious

✓

Safe to install

可安全使用，建议关注依赖版本锁定以降低供应链风险

Findings 3 items

Severity	Finding	Location
Low	依赖包无版本锁定 Supply Chain package.json 中的依赖使用范围版本（如 playwright: ^1.58.2），未锁定精确版本，存在供应链攻击风险 `"playwright": "^1.58.2"` → 使用精确版本（如 1.58.2）或锁定版本范围以减少供应链风险	`scripts/package.json:14`
Info	访问用户缓存目录 Sensitive Access image-cache 访问 ~/.cache/trend2product/images 和 %LOCALAPPDATA%/trend2product/images，用于存储下载的图片缓存 `const xdgCacheDir = process.env.XDG_CACHE_HOME \|\| path.join(homeDir, '.cache')` → 这是正常的缓存功能，符合工具声明的用途	`scripts/vendors/image-cache/src/index.ts:18`
Info	SKILL.md 中的运行时安装命令 Doc Mismatch 文档要求用户执行 curl -fsSL https://bun.sh/install \| bash 安装 Bun 运行时 `curl -fsSL https://bun.sh/install \| bash` → 这是安装官方 BUN 运行时的标准方式，但远程管道执行存在理论风险，建议在文档中说明	`SKILL.md:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:缓存/结果写入，代码正常实现
Network	`READ`	`READ`	✓ Aligned	SKILL.md:访问 Amazon 搜索，代码正常实现
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:使用 Bun 运行，execSync 调用 npm run psearch
Browser	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:使用 Playwright 浏览器搜索

1 Critical 9 High 24 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -fsSL https://bun.sh/install | bash

SKILL.md:17

📡

High IP Address 硬编码 IP 地址

139.0.0.0

scripts/playwright_getcookie.ts:18

📡

High IP Address 硬编码 IP 地址

136.0.0.0

scripts/playwright_getcookie.ts:19

📡

High IP Address 硬编码 IP 地址

138.0.0.0

scripts/playwright_getcookie.ts:21

📡

High IP Address 硬编码 IP 地址

141.0.0.0

scripts/playwright_search.ts:19

📡

High IP Address 硬编码 IP 地址

132.0.0.0

scripts/playwright_search.ts:20

📡

High IP Address 硬编码 IP 地址

137.0.0.0

scripts/playwright_search.ts:25

📡

High IP Address 硬编码 IP 地址

135.0.0.0

scripts/playwright_search.ts:26

📡

High IP Address 硬编码 IP 地址

140.0.0.0

scripts/playwright_search.ts:27

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/vendors/image-cache/src/index.ts:105

🔗

Medium External URL 外部 URL

http://127.0.0.1:7890

SKILL.md:5

🔗

Medium External URL 外部 URL

https://bun.sh/install

SKILL.md:17

🔗

Medium External URL 外部 URL

https://m.media-amazon.com/images/I/91YprRrDB4L._AC_UL960_FMwebp_QL65_.jpg

SKILL.md:77

🔗

Medium External URL 外部 URL

https://www.amazon.com/dp/B09TPN9NJ6

SKILL.md:79

🔗

Medium External URL 外部 URL

http://127.0.0.1:10809

SKILL.md:157

🔗

Medium External URL 外部 URL

https://www.amazon.com

scripts/amazon_search.ts:112

🔗

Medium External URL 外部 URL

https://www.amazon.com/

scripts/playwright_getcookie.ts:120

🔗

Medium External URL 外部 URL

https://www.amazon.com/s?k=$

scripts/playwright_search.ts:270

🔗

Medium External URL 外部 URL

https://www.amazon.com$

scripts/playwright_search.ts:348

🔗

Medium External URL 外部 URL

https://www.google.com/

scripts/vendors/image-cache/src/index.ts:91

🔗

Medium External URL 外部 URL

https://www.pinterest.com/

scripts/vendors/image-cache/src/index.ts:93

🔗

Medium External URL 外部 URL

https://www.facebook.com/

scripts/vendors/image-cache/src/index.ts:95

🔗

Medium External URL 外部 URL

https://www.instagram.com/

scripts/vendors/image-cache/src/index.ts:97

🔗

Medium External URL 外部 URL

https://www.temu.com/

scripts/vendors/image-cache/src/index.ts:101

File Tree

10 files · 60.2 KB · 1842 lines

TypeScript 5f · 1482L Markdown 1f · 183L Ignore 2f · 155L JSON 2f · 22L

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 vendors

│ │ └─ ▾ 📁 image-cache

│ │ ├─ ▾ 📁 src

│ │ │ └─ 📜 index.ts TypeScript 192L · 5.3 KB

│ │ ├─ 📄 .gitignore Ignore 76L · 795 B

│ │ └─ 📋 package.json JSON 7L · 135 B

│ ├─ 📜 amazon_search.ts TypeScript 460L · 15.5 KB

│ ├─ 📜 configure.ts TypeScript 149L · 3.9 KB

│ ├─ 📋 package.json JSON 15L · 296 B

│ ├─ 📜 playwright_getcookie.ts TypeScript 187L · 7.0 KB

│ └─ 📜 playwright_search.ts TypeScript 494L · 19.5 KB

├─ 📄 .gitignore Ignore 79L · 828 B

└─ 📝 SKILL.md Markdown 183L · 7.0 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`^1.58.2`	npm	No	无版本锁定
`sharp`	`^0.33.0`	npm	No	无版本锁定
`tsx`	`^4.21.0`	npm	No	devDependencies

Security Positives

✓ 功能实现与 SKILL.md 声明完全一致，无阴影功能

✓ 代码结构清晰，无混淆或隐蔽执行

✓ 无凭证收割、远程控制或数据外泄行为

✓ 缓存机制设计合理，使用 ASIN/uuid 防重复

✓ 支持代理配置和增量搜索，功能完整

✓ Playwright 反检测是为了绕过 Amazon 的 bot 检测，属于爬虫工具的常见做法

Scan Report

Findings 3 items

File Tree

Dependencies 3 items

Security Positives