中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
fanqie-novel-publisher
番茄小说章节自动发布工具 - Fanqie Novel chapter publishing automation
This is a legitimate Fanqie Novel chapter publishing automation tool using Playwright browser automation. The hardcoded IP address (120.0.0.0) is a placeholder not used in code, and clipboard shell commands are standard cross-platform clipboard access methods documented in the skill's browser automation purpose.
技能名称fanqie-novel-publisher
分析耗时47.9s
引擎pi
可以安装
The skill is safe for use. Consider replacing the hardcoded IP placeholder with a proper constant name (e.g., PLACEHOLDER_IP) and adding a comment clarifying clipboard operations are for browser automation only.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded private IP address placeholder 敏感访问
config.py:21 contains hardcoded IP 120.0.0.0 which is flagged as high-risk IOC. However, analysis shows this IP is never referenced or used anywhere in the codebase - it appears to be an unused placeholder that should be removed or renamed.
TIMEOUT = {
    "login": 120000,
    "page_load": 60000,
    "publish": 120000
}

# 选择器配置...
SELECTORS = {...}
→ Remove or rename the unused IP placeholder. If a placeholder is needed, use a named constant like PLACEHOLDER_IP with a comment explaining its purpose.
 scripts/config.py:21
低危
Subprocess clipboard operations 代码执行
publisher.py uses subprocess to call system clipboard commands (pbcopy on macOS, xclip/xsel on Linux, clip on Windows). This is legitimate cross-platform clipboard access for browser automation - the clipboard is used to paste chapter content into the web editor.
def _copy_to_clipboard(self, text: str) -> bool:
    system = platform.system()
    if system == "Darwin":
        proc = subprocess.Popen(['pbcopy'], stdin=subprocess.PIPE)
        proc.communicate(text.encode('utf-8'))
→ This is necessary functionality for the skill's purpose. No action needed - ensure documentation mentions clipboard access if required for allowed-tools declaration.
 scripts/publisher.py:95
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md: Reads .md chapter files
网络访问 READ READ ✓ 一致 SKILL.md: Fanqie Novel platform browser automation
命令执行 NONE WRITE ✓ 一致 scripts/publisher.py:95-122 - clipboard operations via pbcopy/xclip
浏览器 READ WRITE ✓ 一致 SKILL.md: Playwright browser automation for novel publishing
剪贴板 NONE WRITE ✓ 一致 scripts/publisher.py:95-122 - content pasting for chapter editor
1 高危 5 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
scripts/config.py:21
🔗
中危 外部 URL 外部 URL
https://fanqienovel.com
scripts/config.py:7
🔗
中危 外部 URL 外部 URL
https://fanqienovel.com/writer/zone/
scripts/config.py:8
🔗
中危 外部 URL 外部 URL
https://fanqienovel.com/main/writer/login?enter_from=skill
scripts/config.py:9
🔗
中危 外部 URL 外部 URL
https://fanqienovel.com/main/writer/book-manage
scripts/config.py:11

目录结构

8 文件 · 57.7 KB · 1786 行
Python 6f · 1690L Markdown 1f · 95L Text 1f · 1L
├─ 📁 scripts
│ ├─ 🐍 browser.py Python 193L · 6.1 KB
│ ├─ 🐍 config.py Python 66L · 2.2 KB
│ ├─ 🐍 login.py Python 217L · 7.2 KB
│ ├─ 🐍 main.py Python 470L · 14.0 KB
│ ├─ 🐍 publisher.py Python 407L · 14.6 KB
│ ├─ 📄 requirements.txt Text 1L · 42 B
│ └─ 🐍 works.py Python 337L · 11.5 KB
└─ 📝 SKILL.md Markdown 95L · 1.9 KB

依赖分析 2 项

包名版本来源已知漏洞备注
playwright 1.48.0 pip Pinned version
browser-cookie3 0.19.1 pip Pinned version

安全亮点

✓ All network requests target legitimate Fanqie Novel domain (fanqienovel.com)
✓ No credential theft or exfiltration - cookies are stored locally and used only for platform authentication
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ Dependencies are from reputable sources (Playwright) with pinned versions
✓ Browser automation with anti-detection is standard practice for web scraping
✓ No hidden functionality - all behavior aligns with stated purpose