中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
content-workflow-engine
Automate end-to-end content workflows from ideation to publication and distribution
This is a legitimate content workflow automation skill with no malicious behavior detected. All functionality is accurately documented, scripts use standard Python libraries, and no hidden exfiltration or credential harvesting was found.
技能名称content-workflow-engine
分析耗时33.9s
引擎pi
可以安装
This skill is safe to use. Follow standard security practices: never commit api_config.json with real credentials, use environment variables for API keys in production, and rotate keys regularly.

安全发现 3 项

严重性 安全发现 位置
低危
Configuration template contains credential placeholders
The api_config.example.json file contains template fields for API keys and credentials. These are placeholders, not actual secrets, but could be mistakenly replaced with real values.
"api_key": "YOUR_OPENAI_API_KEY"
→ Ensure users understand these are examples only. Document the security note about using environment variables in production.
 assets/config/api_config.example.json:1
提示
subprocess usage for script execution
The blog_automated.py script uses subprocess.run() to execute workflows. This is expected and documented behavior for a CLI-based workflow tool.
subprocess.run(["python3", "run_workflow.py", ...])
→ No action needed - this is legitimate CLI tool behavior
 scripts/workflow_templates/blog_automated.py:195
提示
File system operations scoped to specific directories
All file write operations are scoped to controlled directories: workflows/, reports/, brainstorm_output/, and backups/. No access to sensitive user directories like ~/.ssh or ~/.aws.
output_path = Path("workflows")
→ No action needed - good practice
 scripts/
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 Scripts write to workflows/, reports/, brainstorm_output/ directories - scoped a…
网络访问 READ READ ✓ 一致 Makes API calls to WordPress, social media platforms as declared in SKILL.md
命令执行 WRITE WRITE ✓ 一致 Uses subprocess for Python script execution, documented and expected for CLI too…
环境变量 NONE NONE No environment variable access observed in code
6 项发现
🔗
中危 外部 URL 外部 URL
https://yourblog.com/wp-json
SKILL.md:234
🔗
中危 外部 URL 外部 URL
https://yourdomain.com/health
assets/config/api_config.example.json:117
📧
提示 邮箱 邮箱地址
[email protected]
CLAWHUB_LISTING.md:282
📧
提示 邮箱 邮箱地址
[email protected]
CLAWHUB_LISTING.md:347
📧
提示 邮箱 邮箱地址
[email protected]
assets/config/api_config.example.json:39
📧
提示 邮箱 邮箱地址
[email protected]
assets/config/api_config.example.json:115

目录结构

15 文件 · 103.1 KB · 3374 行
Markdown 6f · 1855L Python 4f · 1135L JSON 4f · 264L JavaScript 1f · 120L
├─ 📁 assets
│ ├─ 📁 config
│ │ └─ 📋 api_config.example.json JSON 131L · 3.7 KB
│ └─ 📁 templates
│ ├─ 📁 social
│ │ └─ 📋 twitter_template.json JSON 48L · 1.9 KB
│ └─ 📝 blog_template.md Markdown 111L · 2.4 KB
├─ 📁 references
│ ├─ 📝 scheduled_blog.md Markdown 442L · 10.9 KB
│ └─ 📝 social_multi.md Markdown 558L · 14.0 KB
├─ 📁 scripts
│ ├─ 📁 workflow_templates
│ │ └─ 🐍 blog_automated.py Python 319L · 10.6 KB
│ ├─ 🐍 brainstorm.py Python 265L · 10.8 KB
│ ├─ 🐍 create_workflow.py Python 138L · 5.7 KB
│ └─ 🐍 run_workflow.py Python 413L · 15.0 KB
├─ 📁 test_workflows
│ └─ 📋 test-blog-pipeline.json JSON 60L · 1.1 KB
├─ 📝 CLAWHUB_LISTING.md Markdown 346L · 10.2 KB
├─ 📜 index.js JavaScript 120L · 3.1 KB
├─ 📋 package.json JSON 25L · 604 B
├─ 📝 README.md Markdown 29L · 644 B
└─ 📝 SKILL.md Markdown 369L · 12.6 KB

依赖分析 1 项

包名版本来源已知漏洞备注
No external Python dependencies N/A stdlib only Uses only Python standard library (json, argparse, subprocess, pathlib, datetime)

安全亮点

✓ No base64 encoding/decoding or obfuscation detected
✓ No reverse shell or C2 communication patterns
✓ No credential harvesting or environment variable exfiltration
✓ Documentation accurately describes all capabilities
✓ API credentials documented as requiring environment variables in production
✓ File operations are scoped to specific application directories
✓ Uses standard Python libraries (json, argparse, subprocess) without suspicious patterns
✓ No hidden HTML comments or embedded payloads
✓ Test workflow file validates the implementation is legitimate
✓ Dependencies properly declared (no untracked packages)