安全决策报告

ecommerce-category-collector

Name: ecommerce-category-collector 可信度判断报告
Item: ecommerce-category-collector
Rating: 55
Author: ClawSafe

Skill exposes hardcoded credentials in documentation, contains unused dangerous imports, and performs web scraping with unclear data handling practices.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 6

IOC 15

越权项 0

发现 4

最直接的威胁证据

高危凭证窃取

Hardcoded credentials in documentation

Real Audtools account credentials (username: 15715090600, password: zzw12345) are exposed in plain text in SKILL.md precondition section

SKILL.md:11

为什么得出这个结论

1/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

复核

隐藏执行与外联

提取到 15 个一般风险产物，需要结合上下文判断。

阻止

攻击链与高危发现

报告包含 0 步攻击链，另有 1 项高危或严重发现。

复核

依赖与供应链卫生

发现 1 项需要关注的依赖或供应链线索。

风险分是怎么被拉高的

Hardcoded credentials in documentation +20

SKILL.md lines 11-12 expose real Audtools account credentials (15715090600/zzw12345) in plaintext

Unused execSync import +15

scripts/collector.js imports child_process.execSync but never uses it - potential dormant capability

Web scraping automation +10

Automates data collection from third-party e-commerce sites without declared data handling policy

最关键的证据

高危凭证窃取

Hardcoded credentials in documentation

Real Audtools account credentials (username: 15715090600, password: zzw12345) are exposed in plain text in SKILL.md precondition section

SKILL.md:11

Remove credentials from documentation and use environment variables or config files instead

中危敏感访问

Unexplained child_process import

scripts/collector.js imports execSync from child_process module but never uses it - suspicious dormant code

scripts/collector.js:13

Remove unused imports or document the legitimate use case

中危文档欺骗

Undeclared browser automation capability

SKILL.md does not declare the skill uses browser automation tools (browser:WRITE) - only mentions 'browser tool' in description

SKILL.md:1

Explicitly declare browser automation permissions in capability section

低危文档欺骗

External third-party data collection

Skill automates scraping of third-party e-commerce sites (zaraoutlet.top) without declaring data collection scope or handling policy

scripts/collector.js:37

Document what data is collected, how it's processed, and where it's stored

声明能力 vs 实际能力

文件系统 通过

声明 NONE

→

推断 READ

scripts/collector.js:14 - fs.readFileSync

浏览器 通过

声明 NONE

→

推断 WRITE

scripts/collector.js:45-280 - browser.open/act/evaluate

命令执行 通过

声明 NONE

→

推断 READ

scripts/collector.js:13 - execSync imported but unused

可疑产物与外联

中危外部 URL

https://img.shields.io/badge/version-1.0.0-blue

README.md:3

中危外部 URL

https://img.shields.io/badge/OpenClaw-Skill-green

README.md:4

中危外部 URL

https://img.shields.io/badge/license-MIT-orange

README.md:5

中危外部 URL

https://zaraoutlet.top/collections/woman-collection-blazers

SKILL.md:47

中危外部 URL

https://zaraoutlet.top/collections/woman-collection-bodies

SKILL.md:48

中危外部 URL

https://www.audtools.com/users/shopns#/users/shopns/collecs?spm=m-1-2-3

SKILL.md:79

中危外部 URL

https://zaraoutlet.top/collections/woman-collection-cardigans-jumpers

references/csv-format.md:45

中危外部 URL

https://zaraoutlet.top/collections/woman-collection-co-ord-sets

references/csv-format.md:46

中危外部 URL

http://shop.example.com/collections/all

references/csv-format.md:60

中危外部 URL

https://www.example.com/collections/summer-dresses

references/csv-format.md:61

中危外部 URL

https://www.audtools.com

scripts/collector.js:15

中危外部 URL

https://www.audtools.com/login

scripts/collector.js:16

依赖与供应链

包名	版本	来源	漏洞	备注
csv-parse	`^5.5.0`	npm	否	Version properly pinned

文件构成

6 个文件 · 1013 行

JavaScript 1 个文件 · 573 行Markdown 3 个文件 · 406 行JSON 1 个文件 · 25 行CSV 1 个文件 · 9 行

需关注文件 · 5

scripts/collector.js JavaScript · 573 行

Unexplained child_process import · External third-party data collection · https://www.audtools.com · https://www.audtools.com/login

references/csv-format.md Markdown · 156 行

https://zaraoutlet.top/collections/woman-collection-cardigans-jumpers · https://zaraoutlet.top/collections/woman-collection-co-ord-sets · http://shop.example.com/collections/all · https://www.example.com/collections/summer-dresses

README.md Markdown · 150 行

https://img.shields.io/badge/version-1.0.0-blue · https://img.shields.io/badge/OpenClaw-Skill-green · https://img.shields.io/badge/license-MIT-orange

SKILL.md Markdown · 100 行

Hardcoded credentials in documentation · Undeclared browser automation capability · https://zaraoutlet.top/collections/woman-collection-blazers · https://zaraoutlet.top/collections/woman-collection-bodies · https://www.audtools.com/users/shopns#/users/shopns/collecs?spm=m-1-2-3

test/sample.csv CSV · 9 行

https://zaraoutlet.top/collections/woman-collection-dresses · https://zaraoutlet.top/collections/woman-collection-jackets · https://shop.example.com/collections/all

其他文件 · package.json

安全亮点

No reverse shell or C2 infrastructure detected

No base64-encoded or obfuscated code

No unauthorized access to system paths like ~/.ssh or ~/.aws

No cron/persistence mechanisms

No data exfiltration to unknown external IPs

Dependency csv-parse has pinned version (^5.5.0)

No typosquatting or supply chain risks detected