szzg007-product-promotion 安全扫描报告 — 低风险 | ClawSafe

18 /100

szzg007-product-promotion

E-commerce product promotion email generation skill - extracts images from product URLs, generates HTML email templates, and saves to asset library with optional email sending.

This is a legitimate e-commerce product promotion email generation skill with declared image extraction, template generation, and email sending capabilities. The only notable concern is a hardcoded SMTP credential in the source code, which is a deployment hygiene issue rather than malicious behavior.

技能名称szzg007-product-promotion

分析耗时47.2s

引擎pi

✓

可以安装

Remove hardcoded SMTP credentials from send-email.py and load from environment variables or config file instead. No other security concerns require blocking the skill's use.

安全发现 3 项

严重性	安全发现	位置
中危	Hardcoded SMTP credential in source code 凭证窃取 SMTP password 'FC27pgp77tc5Vvhv' is hardcoded as a string constant in send-email.py line 20. This is a deployment hygiene issue. The credential is not exfiltrated but could be extracted from the source code. SKILL.md references an email-config.env file that should store this, but the actual script bypasses it. `SMTP_PASS = "FC27pgp77tc5Vvhv"` → Remove hardcoded credentials. Load SMTP_PASS from environment variable or the email-config.env file referenced in SKILL.md.	`scripts/send-email.py:20`
低危	Subprocess curl execution not declared in capability model 文档欺骗 SKILL.md states '使用 curl 下载' for image extraction, but the capability map does not declare shell:WRITE. The skill uses subprocess.run(['curl', ...]) in product-promotion.py line 128 for downloading images. This is a legitimate and necessary operation for the feature, but not formally declared. `subprocess.run(['curl', '-L', '-sS', '-o', str(filepath), url], capture_output=True, timeout=30)` → Declare shell:WRITE capability in SKILL.md since curl download via subprocess is used.	`scripts/product-promotion.py:128`
低危	No pinned Python dependencies 供应链 package.json declares 'dependencies': {} and engines python>=3.8 with no requirements.txt or pinned packages. While the scripts use only built-in libraries (sys, json, smtplib, ssl, pathlib, subprocess, etc.), dependency pinning would improve supply chain hygiene. `"dependencies": {}` → Add a requirements.txt with pinned versions of any future dependencies.	`package.json:41`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Saves to product-promotion-assets/emails/ and images/
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Extracts images via browser/curl from product URLs; sends via SMTP
命令执行	`NONE`	`WRITE`	✓ 一致	product-promotion.py:128 - subprocess.run(['curl', ...]) not declared in SKILL.m…
环境变量	`NONE`	`NONE`	—	No environment variable access detected
技能调用	`NONE`	`NONE`	—	No cross-skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`READ`	`READ`	✓ 一致	SKILL.md: browser tool for snapshot image extraction
数据库	`NONE`	`NONE`	—	No database access detected

17 项发现

🔗

中危外部 URL 外部 URL

https://www.themossriver.com/products/clear-pc-storage-box

README.md:72

🔗

中危外部 URL 外部 URL

https://www.example.com/product/xxx

SKILL.md:27

🔗

中危外部 URL 外部 URL

https://xxx.com/product/123

SKILL.md:33

🔗

中危外部 URL 外部 URL

https://xxx.com/product/123，生成邮件模版，保存到素材库

SKILL.md:39

🔗

中危外部 URL 外部 URL

https://xxx.com/product/456

SKILL.md:43

🔗

中危外部 URL 外部 URL

https://shop.example.com/product/premium-organizer

SKILL.md:161

🔗

中危外部 URL 外部 URL

https://www.themossriver.com/products/storage-box

references/CODE_SYSTEM.md:160

🔗

中危外部 URL 外部 URL

https://shop.example.com/kids-summer-dress

references/CODE_SYSTEM.md:168

🔗

中危外部 URL 外部 URL

https://shop.com/product/1

references/USAGE_EXAMPLES.md:71

🔗

中危外部 URL 外部 URL

https://shop.com/product/2

references/USAGE_EXAMPLES.md:72

🔗

中危外部 URL 外部 URL

https://shop.com/product/3

references/USAGE_EXAMPLES.md:73

🔗

中危外部 URL 外部 URL

https://shop.com/product/4

references/USAGE_EXAMPLES.md:74

🔗

中危外部 URL 外部 URL

https://shop.com/product/5

references/USAGE_EXAMPLES.md:75

🔗

中危外部 URL 外部 URL

https://shop.com/product/blue-widget

references/USAGE_EXAMPLES.md:104

📧

提示邮箱邮箱地址

[email protected]

README.md:63

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:49

📧

提示邮箱邮箱地址

[email protected]

scripts/send-email.py:20

目录结构

9 文件 · 55.9 KB · 1887 行

Python 3f · 897L Markdown 4f · 739L HTML 1f · 180L JSON 1f · 71L

├─ ▾ 📁 references

│ ├─ 📝 CODE_SYSTEM.md Markdown 231L · 5.3 KB

│ └─ 📝 USAGE_EXAMPLES.md Markdown 186L · 4.0 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 email-code-manager.py Python 224L · 6.6 KB

│ ├─ 🐍 product-promotion.py Python 563L · 19.0 KB

│ └─ 🐍 send-email.py Python 110L · 2.9 KB

├─ ▾ 📁 templates

│ └─ 📄 email-template-v1.html HTML 180L · 8.1 KB

├─ 📋 package.json JSON 71L · 1.9 KB

├─ 📝 README.md Markdown 92L · 2.3 KB

└─ 📝 SKILL.md Markdown 230L · 5.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`None (uses only built-in Python libraries)`	`N/A`	stdlib	否	No third-party dependencies

安全亮点

✓ No base64-encoded execution, eval(), or obfuscated code detected

✓ No credential harvesting from environment or sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2 communication, or data exfiltration endpoints

✓ No hidden instructions in HTML comments or templates

✓ No curl|bash remote script execution

✓ No access to sensitive user paths (SSH keys, cloud credentials)

✓ No cron, persistence, or backdoor mechanisms

✓ SMTP credential is used locally for the stated feature (email sending), not exfiltrated

✓ All file I/O is confined to declared output directories within the skill's asset paths