wechat-xhs-publisher 安全扫描报告 — 低风险 | ClawSafe

15 /100

wechat-xhs-publisher

微信公众号与小红书一键发布工具

A legitimate WeChat/Xiaohongshu publishing workflow tool with no malicious behavior; lacks declared permissions in frontmatter but no actual security violations detected.

技能名称wechat-xhs-publisher

分析耗时23.2s

引擎pi

✓

可以安装

Add allowed-tools declaration to SKILL.md frontmatter for transparency, even though no code execution or credential handling is present.

安全发现 1 项

严重性	安全发现	位置
低危	Missing allowed-tools declaration 文档欺骗 SKILL.md frontmatter lacks allowed-tools declaration, making it unclear what permissions this skill requests. However, analysis shows no actual dangerous operations occur. `--- name: wechat-xhs-publisher ... ---` → Add 'allowed-tools' declaration to frontmatter for transparency, e.g., allowed-tools: {Read: filesystem:READ}	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in implementation
网络访问	`NONE`	`NONE`	—	Delegates to other skills for network operations
命令执行	`NONE`	`NONE`	—	No shell execution in code
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`READ`	✓ 一致	Invokes wechat-ip-checker, baoyu-post-to-wechat, xiaohongshu MCP - declared in d…
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

1 项发现

🔗

中危外部 URL 外部 URL

https://www.ip38.com/

SKILL.md:75

目录结构

1 文件 · 3.9 KB · 150 行

Markdown 1f · 150L

└─ 📝 SKILL.md Markdown 150L · 3.9 KB

安全亮点

✓ No code execution or shell commands present

✓ No credential harvesting or sensitive data access

✓ No base64 encoded or obfuscated content

✓ No network requests to suspicious endpoints

✓ Relies on documented external skills for functionality

✓ No supply chain dependencies to analyze

✓ No hidden functionality or shadow behavior