ecommerce-category-collector Security Report — Suspicious | ClawSafe

45 /100

ecommerce-category-collector

电商分类采集技能 - Automated e-commerce category collection tool for Audtools platform

Skill exposes hardcoded credentials in documentation, contains unused dangerous imports, and performs web scraping with unclear data handling practices.

Skill Nameecommerce-category-collector

Duration41.3s

Enginepi

⚠

Use with caution

Remove hardcoded credentials from documentation, eliminate unused child_process imports, and clarify data handling policies for collected e-commerce data.

Findings 4 items

Severity	Finding	Location
High	Hardcoded credentials in documentation Credential Theft Real Audtools account credentials (username: 15715090600, password: zzw12345) are exposed in plain text in SKILL.md precondition section `1. Audtools账号（手机号：15715090600，密码：zzw12345）` → Remove credentials from documentation and use environment variables or config files instead	`SKILL.md:11`
Medium	Unexplained child_process import Sensitive Access scripts/collector.js imports execSync from child_process module but never uses it - suspicious dormant code `const { execSync } = require('child_process');` → Remove unused imports or document the legitimate use case	`scripts/collector.js:13`
Medium	Undeclared browser automation capability Doc Mismatch SKILL.md does not declare the skill uses browser automation tools (browser:WRITE) - only mentions 'browser tool' in description `自动从Audtools电商采集工具批量提交分类链接采集任务` → Explicitly declare browser automation permissions in capability section	`SKILL.md:1`
Low	External third-party data collection Doc Mismatch Skill automates scraping of third-party e-commerce sites (zaraoutlet.top) without declaring data collection scope or handling policy `const CONFIG = { baseUrl: 'https://www.audtools.com', ... };` → Document what data is collected, how it's processed, and where it's stored	`scripts/collector.js:37`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	scripts/collector.js:14 - fs.readFileSync
Browser	`NONE`	`WRITE`	✓ Aligned	scripts/collector.js:45-280 - browser.open/act/evaluate
Shell	`NONE`	`READ`	✓ Aligned	scripts/collector.js:13 - execSync imported but unused

15 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/OpenClaw-Skill-green

README.md:4

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/license-MIT-orange

README.md:5

🔗

Medium External URL 外部 URL

https://zaraoutlet.top/collections/woman-collection-blazers

SKILL.md:47

🔗

Medium External URL 外部 URL

https://zaraoutlet.top/collections/woman-collection-bodies

SKILL.md:48

🔗

Medium External URL 外部 URL

https://www.audtools.com/users/shopns#/users/shopns/collecs?spm=m-1-2-3

SKILL.md:79

🔗

Medium External URL 外部 URL

https://zaraoutlet.top/collections/woman-collection-cardigans-jumpers

references/csv-format.md:45

🔗

Medium External URL 外部 URL

https://zaraoutlet.top/collections/woman-collection-co-ord-sets

references/csv-format.md:46

🔗

Medium External URL 外部 URL

http://shop.example.com/collections/all

references/csv-format.md:60

🔗

Medium External URL 外部 URL

https://www.example.com/collections/summer-dresses

references/csv-format.md:61

🔗

Medium External URL 外部 URL

https://www.audtools.com

scripts/collector.js:15

🔗

Medium External URL 外部 URL

https://www.audtools.com/login

scripts/collector.js:16

🔗

Medium External URL 外部 URL

https://zaraoutlet.top/collections/woman-collection-dresses

test/sample.csv:6

🔗

Medium External URL 外部 URL

https://zaraoutlet.top/collections/woman-collection-jackets

test/sample.csv:7

🔗

Medium External URL 外部 URL

https://shop.example.com/collections/all

test/sample.csv:10

File Tree

6 files · 29.7 KB · 1013 lines

JavaScript 1f · 573L Markdown 3f · 406L JSON 1f · 25L CSV 1f · 9L

├─ ▾ 📁 references

│ └─ 📝 csv-format.md Markdown 156L · 4.4 KB

├─ ▾ 📁 scripts

│ └─ 📜 collector.js JavaScript 573L · 16.3 KB

├─ ▾ 📁 test

│ └─ 📄 sample.csv CSV 9L · 1015 B

├─ 📋 package.json JSON 25L · 682 B

├─ 📝 README.md Markdown 150L · 3.8 KB

└─ 📝 SKILL.md Markdown 100L · 3.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`csv-parse`	`^5.5.0`	npm	No	Version properly pinned

Security Positives

✓ No reverse shell or C2 infrastructure detected

✓ No base64-encoded or obfuscated code

✓ No unauthorized access to system paths like ~/.ssh or ~/.aws

✓ No cron/persistence mechanisms

✓ No data exfiltration to unknown external IPs

✓ Dependency csv-parse has pinned version (^5.5.0)

✓ No typosquatting or supply chain risks detected

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives