中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 22/100
上次扫描:1 天前 重新扫描
22 /100
skroller
Automated social media content collection and analysis across 10 platforms (Twitter/X, Instagram, TikTok, Reddit, LinkedIn, YouTube, Product Hunt, Medium, GitHub, Pinterest) using Playwright browser automation
Legitimate social media scraping skill with minor documentation gap around undeclared shell execution via execSync for Bear/Apple Notes export. No malicious behavior, credential theft, or data exfiltration observed.
技能名称skroller
分析耗时58.9s
引擎pi
可以安装
Add explicit documentation in SKILL.md about shell execution via execSync for Bear and osascript for Apple Notes exports. Consider using a safer IPC mechanism instead of execSync where possible.

安全发现 3 项

严重性 安全发现 位置
中危
Shell execution via execSync not declared in SKILL.md 文档欺骗
export-to-notes.js uses child_process.execSync to execute shell commands: 'which grizzly', 'grizzly create' for Bear export, and 'osascript' for Apple Notes export. These are legitimate local CLI operations but are not documented in SKILL.md.
execSync('which grizzly', { stdio: 'ignore' });
→ Document shell execution as a capability in SKILL.md under the export scripts section, or refactor to use IPC instead of execSync.
 scripts/export-to-notes.js:56
低危
Environment variable credential access not declared in SKILL.md 文档欺骗
SKILL.md documents credential storage via environment variables (SKROLLR_TWITTER_COOKIE, SKROLLR_INSTAGRAM_USER/PASS) but export-to-notes.js additionally reads NOTION_API_KEY and MS_GRAPH_TOKEN from process.env without this being documented.
const notionKey = apiKey || process.env.NOTION_API_KEY;
→ Document all environment variables used by the skill in SKILL.md under the Configuration section.
 scripts/export-to-notes.js:239
低危
Credential environment variables encourage credential-in-env pattern 敏感访问
SKILL.md instructs users to set SKROLLR_INSTAGRAM_PASS and similar credentials directly in environment variables. While this is better than hardcoding, storing social media passwords in env vars without additional protection (secret managers) is a moderate risk.
export SKROLLR_INSTAGRAM_PASS="<password>"
→ Recommend using a secrets manager instead of raw environment variables for social media credentials.
 SKILL.md:144
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 Playwright page.goto() for scraping; fetch() for Notion/OneNote API calls
文件系统 READ+WRITE READ+WRITE ✓ 一致 Reads .skroller-config.json, writes JSON/CSV/Markdown output, writes to Obsidian…
命令执行 NONE WRITE ✗ 越权 scripts/export-to-notes.js:56 execSync('which grizzly'), line 74 execSync(comman…
环境变量 NONE READ ✗ 越权 process.env.NOTION_API_KEY, MS_GRAPH_TOKEN, SKROLLR_TWITTER_COOKIE, SKROLLR_INST…
浏览器 READ READ ✓ 一致 Playwright chromium.launch() for scraping all 10 platforms
51 项发现
🔗
中危 外部 URL 外部 URL
https://twitter.com/...
SKILL.md:215
🔗
中危 外部 URL 外部 URL
https://www.reddit.com/search.json?q=test
assets/selector-reference.md:84
🔗
中危 外部 URL 外部 URL
https://news.ycombinator.com/search?query=test
assets/selector-reference.md:315
🔗
中危 外部 URL 外部 URL
https://twitter.com/
references/platform-details.md:20
🔗
中危 外部 URL 外部 URL
https://twitter.com/search?q=
references/platform-details.md:21
🔗
中危 外部 URL 外部 URL
https://twitter.com/search?q=%23
references/platform-details.md:22
🔗
中危 外部 URL 外部 URL
https://www.reddit.com/search/?q=
references/platform-details.md:51
🔗
中危 外部 URL 外部 URL
https://www.reddit.com/r/
references/platform-details.md:52
🔗
中危 外部 URL 外部 URL
https://www.reddit.com/user/
references/platform-details.md:53
🔗
中危 外部 URL 外部 URL
https://oauth.reddit.com
references/platform-details.md:65
🔗
中危 外部 URL 外部 URL
https://www.reddit.com/
references/platform-details.md:66
🔗
中危 外部 URL 外部 URL
https://oauth.reddit.com/search.json?q=$
references/platform-details.md:73
🔗
中危 外部 URL 外部 URL
https://www.instagram.com/
references/platform-details.md:84
🔗
中危 外部 URL 外部 URL
https://www.instagram.com/explore/tags/
references/platform-details.md:85
🔗
中危 外部 URL 外部 URL
https://www.instagram.com/reels/
references/platform-details.md:86
🔗
中危 外部 URL 外部 URL
https://www.tiktok.com/search?q=
references/platform-details.md:115
🔗
中危 外部 URL 外部 URL
https://www.tiktok.com/@
references/platform-details.md:116
🔗
中危 外部 URL 外部 URL
https://www.tiktok.com/tag/
references/platform-details.md:117
🔗
中危 外部 URL 外部 URL
https://www.linkedin.com/search/results/content/?keywords=
references/platform-details.md:146
🔗
中危 外部 URL 外部 URL
https://www.linkedin.com/in/
references/platform-details.md:147
🔗
中危 外部 URL 外部 URL
https://www.linkedin.com/company/
references/platform-details.md:148
🔗
中危 外部 URL 外部 URL
https://www.youtube.com/results?search_query=
references/platform-details.md:177
🔗
中危 外部 URL 外部 URL
https://www.youtube.com/@
references/platform-details.md:178
🔗
中危 外部 URL 外部 URL
https://www.youtube.com/watch?v=
references/platform-details.md:179
🔗
中危 外部 URL 外部 URL
https://news.ycombinator.com/search?query=
references/platform-details.md:231
🔗
中危 外部 URL 外部 URL
https://news.ycombinator.com/
references/platform-details.md:232
🔗
中危 外部 URL 外部 URL
https://news.ycombinator.com/newest
references/platform-details.md:233
🔗
中危 外部 URL 外部 URL
https://www.producthunt.com/search?q=
references/platform-details.md:256
🔗
中危 外部 URL 外部 URL
https://www.producthunt.com/topics/
references/platform-details.md:257
🔗
中危 外部 URL 外部 URL
https://www.producthunt.com/leaderboard
references/platform-details.md:258
🔗
中危 外部 URL 外部 URL
https://medium.com/search?q=
references/platform-details.md:279
🔗
中危 外部 URL 外部 URL
https://medium.com/
references/platform-details.md:280
🔗
中危 外部 URL 外部 URL
https://medium.com/@
references/platform-details.md:281
🔗
中危 外部 URL 外部 URL
https://www.pinterest.com/search/pins/?q=
references/platform-details.md:333
🔗
中危 外部 URL 外部 URL
https://www.pinterest.com/
references/platform-details.md:334
🔗
中危 外部 URL 外部 URL
https://api.notion.com/v1/pages
scripts/export-to-notes.js:253
🔗
中危 外部 URL 外部 URL
http://xml.evernote.com/pub/evernote-export4.dtd
scripts/export-to-notes.js:321
🔗
中危 外部 URL 外部 URL
https://graph.microsoft.com/v1.0/me/onenote/sections/$
scripts/export-to-notes.js:387
🔗
中危 外部 URL 外部 URL
https://graph.microsoft.com/v1.0/me/onenote/pages
scripts/export-to-notes.js:388
🔗
中危 外部 URL 外部 URL
https://keep.google.com
scripts/export-to-notes.js:441
🔗
中危 外部 URL 外部 URL
https://twitter.com/$
scripts/skroller.js:24
🔗
中危 外部 URL 外部 URL
https://twitter.com/search?q=$
scripts/skroller.js:25
🔗
中危 外部 URL 外部 URL
https://www.reddit.com/search/?q=$
scripts/skroller.js:38
🔗
中危 外部 URL 外部 URL
https://www.instagram.com/$
scripts/skroller.js:51
🔗
中危 外部 URL 外部 URL
https://www.instagram.com/explore/tags/$
scripts/skroller.js:52
🔗
中危 外部 URL 外部 URL
https://www.tiktok.com/search?q=$
scripts/skroller.js:63
🔗
中危 外部 URL 外部 URL
https://www.linkedin.com/search/results/content/?keywords=$
scripts/skroller.js:74
🔗
中危 外部 URL 外部 URL
https://www.youtube.com/results?search_query=$
scripts/skroller.js:86
🔗
中危 外部 URL 外部 URL
https://www.producthunt.com/search?q=$
scripts/skroller.js:97
🔗
中危 外部 URL 外部 URL
https://medium.com/search?q=$
scripts/skroller.js:108
🔗
中危 外部 URL 外部 URL
https://www.pinterest.com/search/pins/?q=$
scripts/skroller.js:132

目录结构

9 文件 · 70.1 KB · 2491 行
Markdown 4f · 1293L JavaScript 3f · 1135L JSON 2f · 63L
├─ 📁 assets
│ └─ 📝 selector-reference.md Markdown 414L · 6.5 KB
├─ 📁 references
│ ├─ 📝 platform-details.md Markdown 350L · 8.0 KB
│ └─ 📝 rate-limits.md Markdown 222L · 5.5 KB
├─ 📁 scripts
│ ├─ 📜 export-to-notes.js JavaScript 655L · 21.4 KB
│ ├─ 📜 feed-digest.js JavaScript 171L · 5.2 KB
│ └─ 📜 skroller.js JavaScript 309L · 12.1 KB
├─ 📋 .skroller-config.example.json JSON 37L · 833 B
├─ 📋 package.json JSON 26L · 572 B
└─ 📝 SKILL.md Markdown 307L · 10.0 KB

依赖分析 1 项

包名版本来源已知漏洞备注
playwright ^1.40.0 npm Version range allows minor updates, consider pinning to 1.40.0

安全亮点

✓ No base64-encoded payloads, reverse shells, or C2 communication
✓ No access to ~/.ssh, ~/.aws, or other sensitive host paths
✓ No credential harvesting or exfiltration to external IPs beyond declared API calls
✓ No obfuscation techniques (eval, atob, etc.) detected
✓ playwright dependency is pinned to ^1.40.0
✓ All network calls are to legitimate platform URLs (Twitter, Reddit, Notion API, Microsoft Graph) and are documented
✓ Data exfiltration is limited to user-requested exports to their own note apps
✓ Compliance notices present in all scripts regarding ToS, GDPR, and CCPA
✓ Screenshots and deduplication state stored locally only