中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
fanqie-novel-publisher
番茄小说章节自动发布工具 - Fanqie Novel chapter publishing automation
This is a legitimate Fanqie Novel chapter publishing automation tool using Playwright browser automation. The hardcoded IP address (120.0.0.0) is a placeholder not used in code, and clipboard shell commands are standard cross-platform clipboard access methods documented in the skill's browser automation purpose.
Skill Namefanqie-novel-publisher
Duration47.9s
Enginepi
Safe to install
The skill is safe for use. Consider replacing the hardcoded IP placeholder with a proper constant name (e.g., PLACEHOLDER_IP) and adding a comment clarifying clipboard operations are for browser automation only.

Findings 2 items

Severity Finding Location
Low
Hardcoded private IP address placeholder Sensitive Access
config.py:21 contains hardcoded IP 120.0.0.0 which is flagged as high-risk IOC. However, analysis shows this IP is never referenced or used anywhere in the codebase - it appears to be an unused placeholder that should be removed or renamed.
TIMEOUT = {
    "login": 120000,
    "page_load": 60000,
    "publish": 120000
}

# 选择器配置...
SELECTORS = {...}
→ Remove or rename the unused IP placeholder. If a placeholder is needed, use a named constant like PLACEHOLDER_IP with a comment explaining its purpose.
 scripts/config.py:21
Low
Subprocess clipboard operations RCE
publisher.py uses subprocess to call system clipboard commands (pbcopy on macOS, xclip/xsel on Linux, clip on Windows). This is legitimate cross-platform clipboard access for browser automation - the clipboard is used to paste chapter content into the web editor.
def _copy_to_clipboard(self, text: str) -> bool:
    system = platform.system()
    if system == "Darwin":
        proc = subprocess.Popen(['pbcopy'], stdin=subprocess.PIPE)
        proc.communicate(text.encode('utf-8'))
→ This is necessary functionality for the skill's purpose. No action needed - ensure documentation mentions clipboard access if required for allowed-tools declaration.
 scripts/publisher.py:95
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md: Reads .md chapter files
Network READ READ ✓ Aligned SKILL.md: Fanqie Novel platform browser automation
Shell NONE WRITE ✓ Aligned scripts/publisher.py:95-122 - clipboard operations via pbcopy/xclip
Browser READ WRITE ✓ Aligned SKILL.md: Playwright browser automation for novel publishing
Clipboard NONE WRITE ✓ Aligned scripts/publisher.py:95-122 - content pasting for chapter editor
1 High 5 findings
📡
High IP Address 硬编码 IP 地址
120.0.0.0
scripts/config.py:21
🔗
Medium External URL 外部 URL
https://fanqienovel.com
scripts/config.py:7
🔗
Medium External URL 外部 URL
https://fanqienovel.com/writer/zone/
scripts/config.py:8
🔗
Medium External URL 外部 URL
https://fanqienovel.com/main/writer/login?enter_from=skill
scripts/config.py:9
🔗
Medium External URL 外部 URL
https://fanqienovel.com/main/writer/book-manage
scripts/config.py:11

File Tree

8 files · 57.7 KB · 1786 lines
Python 6f · 1690L Markdown 1f · 95L Text 1f · 1L
├─ 📁 scripts
│ ├─ 🐍 browser.py Python 193L · 6.1 KB
│ ├─ 🐍 config.py Python 66L · 2.2 KB
│ ├─ 🐍 login.py Python 217L · 7.2 KB
│ ├─ 🐍 main.py Python 470L · 14.0 KB
│ ├─ 🐍 publisher.py Python 407L · 14.6 KB
│ ├─ 📄 requirements.txt Text 1L · 42 B
│ └─ 🐍 works.py Python 337L · 11.5 KB
└─ 📝 SKILL.md Markdown 95L · 1.9 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
playwright 1.48.0 pip No Pinned version
browser-cookie3 0.19.1 pip No Pinned version

Security Positives

✓ All network requests target legitimate Fanqie Novel domain (fanqienovel.com)
✓ No credential theft or exfiltration - cookies are stored locally and used only for platform authentication
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ Dependencies are from reputable sources (Playwright) with pinned versions
✓ Browser automation with anti-detection is standard practice for web scraping
✓ No hidden functionality - all behavior aligns with stated purpose