visa-itinerary-gen 安全扫描报告 — 可信 | ClawSafe

5 /100

visa-itinerary-gen

Generate consulate-grade visa itinerary documents from natural language input using flyai real-time travel data

A legitimate visa itinerary generator that uses flyai CLI for travel data and Playwright for PDF rendering. All operations are documented and necessary for the stated purpose.

技能名称visa-itinerary-gen

分析耗时34.5s

引擎pi

✓

可以安装

Approve for use. All shell commands and dependencies are declared, documented, and user-interactive.

安全发现 2 项

严重性	安全发现	位置
低危	Browser resource used without declaration 权限提升 The render_pdf.py script uses Playwright to launch a Chromium browser for PDF rendering, which requires browser:WRITE access. This is not explicitly declared in SKILL.md metadata. `browser = p.chromium.launch()` → Add Playwright to the install requirements in SKILL.md metadata	`scripts/render_pdf.py:107`
低危	Playwright installed without version pinning 供应链 The skill instructs users to install Playwright without specifying a version, which could lead to dependency version conflicts. `pip3 install playwright && python3 -m playwright install chromium` → Consider pinning Playwright version for reproducibility	`SKILL.md:79`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md lines 60-100: flyai CLI commands for flights, hotels, attractions
文件系统	`READ+WRITE`	`READ+WRITE`	✓ 一致	SKILL.md line 149: writes travel_plan.md; scripts/render_pdf.py: writes temp HTM…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: accesses Fliggy API via flyai CLI for travel data
浏览器	`NONE`	`WRITE`	✓ 一致	scripts/render_pdf.py line 107: uses playwright.sync_api for PDF rendering
剪贴板	`NONE`	`WRITE`	✓ 一致	templates/booking_links_*.html: copyLink() uses navigator.clipboard.writeText()

28 项发现

🔗

中危外部 URL 外部 URL

https://zephryve.github.io/visa-itinerary-gen/

README.md:5

🔗

中危外部 URL 外部 URL

https://nodejs.org/

SKILL.md:76

🔗

中危外部 URL 外部 URL

https://python.org/

SKILL.md:78

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/08rXE4

templates/booking_links_cn.html:246

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1TWb2F

templates/booking_links_cn.html:268

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/3OwpqL

templates/booking_links_cn.html:292

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/0HQwRo

templates/booking_links_cn.html:304

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/0YauhQ

templates/booking_links_cn.html:316

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1I6zBw

templates/booking_links_cn.html:328

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1iNGoU

templates/booking_links_cn.html:351

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/08k6yf

templates/booking_links_cn.html:365

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1IlyBx

templates/booking_links_cn.html:367

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/2X7N5t

templates/booking_links_cn.html:369

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1Ru3ow

templates/booking_links_cn.html:371

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/4gE9zW

templates/booking_links_cn.html:373

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/0yb2rn

templates/booking_links_cn.html:375

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/102qFq

templates/booking_links_cn.html:377

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/48UFDp

templates/booking_links_cn.html:379

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/16uuwx

templates/booking_links_cn.html:381

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/0UJBIJ

templates/booking_links_cn.html:383

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/0n4XX1

templates/booking_links_cn.html:385

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/0AO6d5

templates/booking_links_cn.html:387

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/0qXo5z

templates/booking_links_cn.html:389

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1q1EjB

templates/booking_links_cn.html:391

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1BekgP

templates/booking_links_cn.html:393

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/1HFqXK

templates/booking_links_cn.html:395

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/07T71O

templates/booking_links_cn.html:397

📧

提示邮箱邮箱地址

[email protected]

README.md:130

目录结构

5 文件 · 73.1 KB · 1469 行

HTML 2f · 823L Markdown 2f · 446L Python 1f · 200L

├─ ▾ 📁 scripts

│ └─ 🐍 render_pdf.py Python 200L · 5.5 KB

├─ ▾ 📁 templates

│ ├─ 📄 booking_links_cn.html HTML 409L · 22.3 KB

│ └─ 📄 booking_links_en.html HTML 414L · 22.1 KB

├─ 📝 README.md Markdown 130L · 4.8 KB

└─ 📝 SKILL.md Markdown 316L · 18.4 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`@fly-ai/flyai-cli`	`latest`	npm	否	Third-party travel search CLI, installed globally via npm
`playwright`	`unpinned`	pip	否	Version not pinned in install instructions

安全亮点

✓ No credential theft - skill does not access ~/.ssh, ~/.aws, .env, or any credential paths

✓ No data exfiltration - no external POST requests with user data

✓ No obfuscation - no base64, eval(), or anti-analysis techniques

✓ No hidden functionality - all shell commands and operations are documented in SKILL.md

✓ No remote script execution - no curl|bash or wget|sh patterns

✓ User-interactive dependency installation - always asks permission before installing

✓ Clean HTML templates - no malicious JavaScript beyond standard clipboard copy

✓ Temporary files are properly cleaned up after PDF generation