skroller Security Report — Low Risk | ClawSafe

22 /100

skroller

Automated social media content collection and analysis across 10 platforms (Twitter/X, Instagram, TikTok, Reddit, LinkedIn, YouTube, Product Hunt, Medium, GitHub, Pinterest) using Playwright browser automation

Legitimate social media scraping skill with minor documentation gap around undeclared shell execution via execSync for Bear/Apple Notes export. No malicious behavior, credential theft, or data exfiltration observed.

Skill Nameskroller

Duration58.9s

Enginepi

✓

Safe to install

Add explicit documentation in SKILL.md about shell execution via execSync for Bear and osascript for Apple Notes exports. Consider using a safer IPC mechanism instead of execSync where possible.

Findings 3 items

Severity	Finding	Location
Medium	Shell execution via execSync not declared in SKILL.md Doc Mismatch export-to-notes.js uses child_process.execSync to execute shell commands: 'which grizzly', 'grizzly create' for Bear export, and 'osascript' for Apple Notes export. These are legitimate local CLI operations but are not documented in SKILL.md. `execSync('which grizzly', { stdio: 'ignore' });` → Document shell execution as a capability in SKILL.md under the export scripts section, or refactor to use IPC instead of execSync.	`scripts/export-to-notes.js:56`
Low	Environment variable credential access not declared in SKILL.md Doc Mismatch SKILL.md documents credential storage via environment variables (SKROLLR_TWITTER_COOKIE, SKROLLR_INSTAGRAM_USER/PASS) but export-to-notes.js additionally reads NOTION_API_KEY and MS_GRAPH_TOKEN from process.env without this being documented. `const notionKey = apiKey \|\| process.env.NOTION_API_KEY;` → Document all environment variables used by the skill in SKILL.md under the Configuration section.	`scripts/export-to-notes.js:239`
Low	Credential environment variables encourage credential-in-env pattern Sensitive Access SKILL.md instructs users to set SKROLLR_INSTAGRAM_PASS and similar credentials directly in environment variables. While this is better than hardcoding, storing social media passwords in env vars without additional protection (secret managers) is a moderate risk. `export SKROLLR_INSTAGRAM_PASS="<password>"` → Recommend using a secrets manager instead of raw environment variables for social media credentials.	`SKILL.md:144`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	Playwright page.goto() for scraping; fetch() for Notion/OneNote API calls
Filesystem	`READ+WRITE`	`READ+WRITE`	✓ Aligned	Reads .skroller-config.json, writes JSON/CSV/Markdown output, writes to Obsidian…
Shell	`NONE`	`WRITE`	✗ Violation	scripts/export-to-notes.js:56 execSync('which grizzly'), line 74 execSync(comman…
Environment	`NONE`	`READ`	✗ Violation	process.env.NOTION_API_KEY, MS_GRAPH_TOKEN, SKROLLR_TWITTER_COOKIE, SKROLLR_INST…
Browser	`READ`	`READ`	✓ Aligned	Playwright chromium.launch() for scraping all 10 platforms

51 findings

🔗

Medium External URL 外部 URL

https://twitter.com/...

SKILL.md:215

🔗

Medium External URL 外部 URL

https://www.reddit.com/search.json?q=test

assets/selector-reference.md:84

🔗

Medium External URL 外部 URL

https://news.ycombinator.com/search?query=test

assets/selector-reference.md:315

🔗

Medium External URL 外部 URL

https://twitter.com/

references/platform-details.md:20

🔗

Medium External URL 外部 URL

https://twitter.com/search?q=

references/platform-details.md:21

🔗

Medium External URL 外部 URL

https://twitter.com/search?q=%23

references/platform-details.md:22

🔗

Medium External URL 外部 URL

https://www.reddit.com/search/?q=

references/platform-details.md:51

🔗

Medium External URL 外部 URL

https://www.reddit.com/r/

references/platform-details.md:52

🔗

Medium External URL 外部 URL

https://www.reddit.com/user/

references/platform-details.md:53

🔗

Medium External URL 外部 URL

https://oauth.reddit.com

references/platform-details.md:65

🔗

Medium External URL 外部 URL

https://www.reddit.com/

references/platform-details.md:66

🔗

Medium External URL 外部 URL

https://oauth.reddit.com/search.json?q=$

references/platform-details.md:73

🔗

Medium External URL 外部 URL

https://www.instagram.com/

references/platform-details.md:84

🔗

Medium External URL 外部 URL

https://www.instagram.com/explore/tags/

references/platform-details.md:85

🔗

Medium External URL 外部 URL

https://www.instagram.com/reels/

references/platform-details.md:86

🔗

Medium External URL 外部 URL

https://www.tiktok.com/search?q=

references/platform-details.md:115

🔗

Medium External URL 外部 URL

https://www.tiktok.com/@

references/platform-details.md:116

🔗

Medium External URL 外部 URL

https://www.tiktok.com/tag/

references/platform-details.md:117

🔗

Medium External URL 外部 URL

https://www.linkedin.com/search/results/content/?keywords=

references/platform-details.md:146

🔗

Medium External URL 外部 URL

https://www.linkedin.com/in/

references/platform-details.md:147

🔗

Medium External URL 外部 URL

https://www.linkedin.com/company/

references/platform-details.md:148

🔗

Medium External URL 外部 URL

https://www.youtube.com/results?search_query=

references/platform-details.md:177

🔗

Medium External URL 外部 URL

https://www.youtube.com/@

references/platform-details.md:178

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=

references/platform-details.md:179

🔗

Medium External URL 外部 URL

https://news.ycombinator.com/search?query=

references/platform-details.md:231

🔗

Medium External URL 外部 URL

https://news.ycombinator.com/

references/platform-details.md:232

🔗

Medium External URL 外部 URL

https://news.ycombinator.com/newest

references/platform-details.md:233

🔗

Medium External URL 外部 URL

https://www.producthunt.com/search?q=

references/platform-details.md:256

🔗

Medium External URL 外部 URL

https://www.producthunt.com/topics/

references/platform-details.md:257

🔗

Medium External URL 外部 URL

https://www.producthunt.com/leaderboard

references/platform-details.md:258

🔗

Medium External URL 外部 URL

https://medium.com/search?q=

references/platform-details.md:279

🔗

Medium External URL 外部 URL

https://medium.com/

references/platform-details.md:280

🔗

Medium External URL 外部 URL

https://medium.com/@

references/platform-details.md:281

🔗

Medium External URL 外部 URL

https://www.pinterest.com/search/pins/?q=

references/platform-details.md:333

🔗

Medium External URL 外部 URL

https://www.pinterest.com/

references/platform-details.md:334

🔗

Medium External URL 外部 URL

https://api.notion.com/v1/pages

scripts/export-to-notes.js:253

🔗

Medium External URL 外部 URL

http://xml.evernote.com/pub/evernote-export4.dtd

scripts/export-to-notes.js:321

🔗

Medium External URL 外部 URL

https://graph.microsoft.com/v1.0/me/onenote/sections/$

scripts/export-to-notes.js:387

🔗

Medium External URL 外部 URL

https://graph.microsoft.com/v1.0/me/onenote/pages

scripts/export-to-notes.js:388

🔗

Medium External URL 外部 URL

https://keep.google.com

scripts/export-to-notes.js:441

🔗

Medium External URL 外部 URL

https://twitter.com/$

scripts/skroller.js:24

🔗

Medium External URL 外部 URL

https://twitter.com/search?q=$

scripts/skroller.js:25

🔗

Medium External URL 外部 URL

https://www.reddit.com/search/?q=$

scripts/skroller.js:38

🔗

Medium External URL 外部 URL

https://www.instagram.com/$

scripts/skroller.js:51

🔗

Medium External URL 外部 URL

https://www.instagram.com/explore/tags/$

scripts/skroller.js:52

🔗

Medium External URL 外部 URL

https://www.tiktok.com/search?q=$

scripts/skroller.js:63

🔗

Medium External URL 外部 URL

https://www.linkedin.com/search/results/content/?keywords=$

scripts/skroller.js:74

🔗

Medium External URL 外部 URL

https://www.youtube.com/results?search_query=$

scripts/skroller.js:86

🔗

Medium External URL 外部 URL

https://www.producthunt.com/search?q=$

scripts/skroller.js:97

🔗

Medium External URL 外部 URL

https://medium.com/search?q=$

scripts/skroller.js:108

🔗

Medium External URL 外部 URL

https://www.pinterest.com/search/pins/?q=$

scripts/skroller.js:132

File Tree

9 files · 70.1 KB · 2491 lines

Markdown 4f · 1293L JavaScript 3f · 1135L JSON 2f · 63L

├─ ▾ 📁 assets

│ └─ 📝 selector-reference.md Markdown 414L · 6.5 KB

├─ ▾ 📁 references

│ ├─ 📝 platform-details.md Markdown 350L · 8.0 KB

│ └─ 📝 rate-limits.md Markdown 222L · 5.5 KB

├─ ▾ 📁 scripts

│ ├─ 📜 export-to-notes.js JavaScript 655L · 21.4 KB

│ ├─ 📜 feed-digest.js JavaScript 171L · 5.2 KB

│ └─ 📜 skroller.js JavaScript 309L · 12.1 KB

├─ 📋 .skroller-config.example.json JSON 37L · 833 B

├─ 📋 package.json JSON 26L · 572 B

└─ 📝 SKILL.md Markdown 307L · 10.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`^1.40.0`	npm	No	Version range allows minor updates, consider pinning to 1.40.0

Security Positives

✓ No base64-encoded payloads, reverse shells, or C2 communication

✓ No access to ~/.ssh, ~/.aws, or other sensitive host paths

✓ No credential harvesting or exfiltration to external IPs beyond declared API calls

✓ No obfuscation techniques (eval, atob, etc.) detected

✓ playwright dependency is pinned to ^1.40.0

✓ All network calls are to legitimate platform URLs (Twitter, Reddit, Notion API, Microsoft Graph) and are documented

✓ Data exfiltration is limited to user-requested exports to their own note apps

✓ Compliance notices present in all scripts regarding ToS, GDPR, and CCPA

✓ Screenshots and deduplication state stored locally only

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives