Looper 安全扫描报告 — 低风险 | ClawSafe

10 /100

Looper

Automate content creation, code improvement, and social media posting via Looper (looper.bot)

A straightforward API-wrapping skill for a SaaS content automation service with no malicious indicators.

技能名称Looper

分析耗时33.8s

引擎pi

✓

可以安装

Approve for use. The skill is a thin CLI wrapper around a documented REST API at api.looper.bot, with no hidden functionality.

安全发现 1 项

严重性	安全发现	位置
低危	Shell/network/env access not declared in capability model 文档欺骗 SKILL.md describes an API-wrapper tool but does not declare network or shell access. The allowed-tools mapping shows Bash→shell:WRITE and WebFetch→network:READ are implied, but SKILL.md omits any allowed-tools declaration. `No allowedTools declared in SKILL.md` → Add an allowedTools declaration to SKILL.md (Bash for script execution, Read for reference files).	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md uses curl to api.looper.bot but does not declare network access as a ca…
命令执行	`NONE`	`WRITE`	✓ 一致	looper-api.sh:42 — curl commands are invoked via bash subprocess
文件系统	`NONE`	`NONE`	—	No filesystem access found in any file
环境变量	`NONE`	`READ`	✓ 一致	looper-api.sh:6 — reads LOOPER_API_URL and LOOPER_ADMIN_KEY from environment
技能调用	`NONE`	`NONE`	—	No cross-skill invocations

9 项发现

🔗

中危外部 URL 外部 URL

https://looper.bot

SKILL.md:4

🔗

中危外部 URL 外部 URL

https://api.looper.bot

SKILL.md:30

🔗

中危外部 URL 外部 URL

https://api.looper.bot/api/signup

SKILL.md:38

🔗

中危外部 URL 外部 URL

https://api.looper.bot/api/login

SKILL.md:48

🔗

中危外部 URL 外部 URL

https://api.looper.bot/api/loops

SKILL.md:62

🔗

中危外部 URL 外部 URL

https://api.looper.bot/api/loops/

SKILL.md:149

🔗

中危外部 URL 外部 URL

https://api.looper.bot/api/github/connect

SKILL.md:204

🔗

中危外部 URL 外部 URL

https://api.looper.bot/api/github/status

SKILL.md:208

🔗

中危外部 URL 外部 URL

https://api.looper.bot/api/keys

SKILL.md:216

目录结构

3 文件 · 11.6 KB · 395 行

Markdown 2f · 333L Shell 1f · 62L

├─ ▾ 📁 references

│ └─ 📝 api-reference.md Markdown 97L · 3.0 KB

├─ ▾ 📁 scripts

│ └─ 🔧 looper-api.sh Shell 62L · 1.9 KB

└─ 📝 SKILL.md Markdown 236L · 6.6 KB

安全亮点

✓ No base64, eval, or obfuscated code detected anywhere

✓ All network traffic goes to a single, declared API endpoint (api.looper.bot)

✓ No credential exfiltration — LOOPER_ADMIN_KEY is used only for Bearer auth to the legitimate API

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data theft indicators

✓ No supply chain risks — no dependencies (requirements.txt, package.json, etc.)

✓ GitHub OAuth flow is documented and scoped to repo access only

✓ The GitHub source link (dbhurley/looper) is a real public repository