castreader 安全扫描报告 — 可疑 | ClawSafe

45 /100

castreader

Read any web page aloud with natural AI voices. Extract article text from any URL and convert it to audio (MP3).

CastReader skill has undocumented network behavior, undeclared browser automation with anti-detection flags, and uses base64 audio processing that appears legitimate but warrants scrutiny.

技能名称castreader

分析耗时37.4s

引擎pi

⚠

谨慎使用

Add explicit network:READ and browser declarations to SKILL.md. Remove --disable-blink-features=AutomationControlled flag. Verify external API endpoint is trustworthy before granting network access.

安全发现 5 项

严重性	安全发现	位置
中危	Undeclared network requests to external API 文档欺骗 All scripts communicate with api.castreader.ai:8123 for TTS services. SKILL.md only describes URL extraction and audio generation workflow but never explicitly declares network:READ permission or the external API endpoint. await fetch(`${API_URL}/api/captioned_speech_partly`, { method: 'POST' }) → Declare network:READ in SKILL.md metadata and document the external TTS API endpoint	`scripts/read-url.js:51`
中危	Undeclared Puppeteer browser automation 文档欺骗 extract.js and read-aloud.js use Puppeteer to launch headless Chrome browsers and manipulate web pages. SKILL.md only mentions 'read-url.js' and 'generate-text.js' scripts, omitting browser automation entirely. `const browser = await puppeteer.launch({ headless: true, args: ['--no-sandbox', '--disable-setuid-sandbox'] })` → Declare browser:WRITE in SKILL.md and document Puppeteer usage for content extraction	`scripts/extract.js:42`
中危	Automation detection suppression flag 敏感访问 read-aloud.js passes --disable-blink-features=AutomationControlled to Chrome, which suppresses navigator.webdriver detection. While common for legitimate automation, this anti-detection technique is suspicious when combined with undeclared browser access. `'--disable-blink-features=AutomationControlled'` → Remove anti-detection flag unless specifically required for legitimate extension testing	`scripts/read-aloud.js:51`
低危	Base64 audio decoding in multiple scripts 代码混淆 Base64-encoded audio from API response is decoded using Buffer.from(audioBase64, 'base64'). While this is legitimate for TTS APIs, the pattern matches high-risk obfuscation signatures and was flagged by pre-scan. `audioChunks.push(Buffer.from(audioBase64, 'base64'))` → This appears legitimate for TTS services but should be documented to avoid false positive detection	`scripts/generate-paragraph.js:94`
低危	Shell execution via subprocess not declared 文档欺骗 read-url.js uses execFileSync to invoke extract.js as a child process. SKILL.md describes 'node scripts/read-url.js' but does not mention that it internally spawns another Node process. `execFileSync('node', [extractScript, url], { encoding: 'utf-8' })` → Document internal script orchestration or refactor to use direct module imports	`scripts/read-url.js:79`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✗ 越权	scripts/read-url.js:51 - POST to api.castreader.ai:8123
文件系统	`NONE`	`WRITE`	✗ 越权	scripts/read-url.js:82 - fs.writeFileSync
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/read-url.js:79 - execFileSync('node', ...)
浏览器	`NONE`	`WRITE`	✗ 越权	scripts/read-aloud.js:43 - puppeteer.launch()

1 严重 1 高危 16 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(audioBase64, 'base64'

scripts/generate-paragraph.js:94

📡

高危 IP 地址硬编码 IP 地址

131.0.0.0

scripts/extract.js:42

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/OpenClaw-Skill-blue

README.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.com/castreader

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-green.svg

README.md:4

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/platform-macOS%20%7C%20Linux%20%7C%20Windows-lightgrey

README.md:5

🔗

中危外部 URL 外部 URL

https://en.wikipedia.org/wiki/Text-to-speech

README.md:46

🔗

中危外部 URL 外部 URL

https://notion.so/my-page

README.md:99

🔗

中危外部 URL 外部 URL

https://chromewebstore.google.com/detail/castreader-tts-reader/foammmkhpbeladledijkdljlechlclpb

README.md:102

🔗

中危外部 URL 外部 URL

http://api.castreader.ai:8123

README.md:134

🔗

中危外部 URL 外部 URL

https://castreader.ai

README.md:161

🔗

中危外部 URL 外部 URL

https://castreader.ai/openclaw

README.md:162

🔗

中危外部 URL 外部 URL

https://microsoftedge.microsoft.com/addons/detail/niidajfbelfcgnkmnpcmdlioclhljaaj

README.md:164

🔗

中危外部 URL 外部 URL

https://www.patreon.com/feross

package-lock.json:248

🔗

中危外部 URL 外部 URL

https://feross.org/support

package-lock.json:252

🔗

中危外部 URL 外部 URL

https://alistapart.com/blog/post/successful-or-unsuccessful-the-post-good-design-vocabulary/

scripts/demo.js:58

目录结构

11 文件 · 84.4 KB · 2592 行

JSON 2f · 1222L JavaScript 6f · 1028L Markdown 3f · 342L

├─ ▾ 📁 references

│ └─ 📝 castreader-api.md Markdown 76L · 2.2 KB

├─ ▾ 📁 scripts

│ ├─ 📜 demo.js JavaScript 169L · 4.7 KB

│ ├─ 📜 extract.js JavaScript 87L · 2.3 KB

│ ├─ 📜 generate-paragraph.js JavaScript 155L · 4.6 KB

│ ├─ 📜 generate-text.js JavaScript 123L · 3.3 KB

│ ├─ 📜 read-aloud.js JavaScript 280L · 9.3 KB

│ └─ 📜 read-url.js JavaScript 214L · 6.2 KB

├─ 📋 package-lock.json JSON 1208L · 42.3 KB

├─ 📋 package.json JSON 14L · 391 B

├─ 📝 README.md Markdown 169L · 6.4 KB

└─ 📝 SKILL.md Markdown 97L · 2.8 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`puppeteer`	`^23.0.0`	npm	否	Version not pinned; auto-updates to latest
`crypto`	`builtin`	Node.js	否	Standard library module

安全亮点

✓ No credential harvesting or environment variable theft detected

✓ No reverse shell, C2 communication, or data exfiltration patterns found

✓ Base64 usage is for legitimate TTS audio processing, not code obfuscation

✓ Hardcoded IP 131.0.0.0 is part of Chrome's internal UA string, not actual network contact

✓ All file operations confined to /tmp and skill directory

✓ No suspicious file downloads or supply chain indicators beyond unpinned versions