中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
x-mobile-longshot
Render X (Twitter) posts, long articles, and mobile reading pages into mobile-style long screenshots and optional single-page PDFs using Playwright.
This is a legitimate X/Twitter screenshot rendering tool with undocumented shell execution for PDF conversion, but the risk is minimal as file paths are script-generated and Playwright usage is properly documented.
Skill Namex-mobile-longshot
Duration32.2s
Enginepi
Safe to install
Declare the filesystem WRITE and shell:WRITE permissions in SKILL.md for transparency. Consider moving Python image processing to a Node.js library to eliminate the spawnSync pattern.

Findings 3 items

Severity Finding Location
Low
Shell execution not declared in SKILL.md Doc Mismatch
The script uses spawnSync to execute python3 with generated code for image processing (PIL/Pillow operations). This shell:WRITE capability is not mentioned in SKILL.md.
const r = spawnSync('python3', ['-c', code], { encoding: 'utf8' });
→ Add 'shell:WRITE' to the declared allowed-tools mapping and document the Python dependency in SKILL.md
 scripts/render_x_longshot.js:77
Low
Filesystem write access not declared Doc Mismatch
The script creates directories and writes PNG/PDF files using Node.js fs module, but filesystem:WRITE is not declared in SKILL.md.
fs.mkdirSync(path.dirname(args.outPng), { recursive: true });
→ Declare filesystem:WRITE permission in SKILL.md since the tool writes output files
 scripts/render_x_longshot.js:83
Info
Python code injection via template strings Obfuscation
Python code is dynamically constructed with interpolated file paths. While inputs are script-generated (not user-supplied), this pattern could be risky if extended.
from PIL import Image
raw = Image.open(r'''${rawPng}''').convert('RGB')
→ Consider using a Node.js image library (e.g., sharp) instead of spawning Python processes to eliminate injection surface
 scripts/render_x_longshot.js:120
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✗ Violation scripts/render_x_longshot.js:83 fs.mkdirSync
Shell NONE WRITE ✗ Violation scripts/render_x_longshot.js:77 spawnSync('python3', ['-c', code])
Browser READ READ ✓ Aligned scripts/render_x_longshot.js:89 chromium.launch() with user-provided URLs
Network READ READ ✓ Aligned scripts/render_x_longshot.js:91 page.goto(args.url)
Environment NONE NONE No environment variable access detected
1 findings
🔗
Medium External URL 外部 URL
https://x.com/i/status/2030475950752710891
SKILL.md:16

File Tree

3 files · 9.4 KB · 280 lines
JavaScript 1f · 171L Markdown 2f · 109L
├─ 📁 references
│ └─ 📝 notes.md Markdown 29L · 1.5 KB
├─ 📁 scripts
│ └─ 📜 render_x_longshot.js JavaScript 171L · 5.1 KB
└─ 📝 SKILL.md Markdown 80L · 2.8 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
playwright * npm No No version pin - could install latest which may have vulnerabilities
pillow * pip No Runtime dependency via spawnSync, not declared in package.json

Security Positives

✓ No credential harvesting or sensitive file access
✓ No network exfiltration or C2 communication
✓ No base64 encoding or obfuscation patterns
✓ No curl|bash or remote script execution
✓ Browser automation via Playwright is properly documented
✓ File paths are script-generated, not user-controlled, reducing injection risk