cosmetics-advisor-pengleni Security Report — Trusted | ClawSafe

0 /100

cosmetics-advisor-pengleni

Pengleni beauty assistant skill via SMS login/session APIs for AI virtual try-on, makeup analysis, and beauty Q&A

Legitimate beauty assistant chat API client with proper session management, HTML sanitization, and no malicious indicators.

Skill Namecosmetics-advisor-pengleni

Duration27.1s

Enginepi

✓

Safe to install

This skill is safe for use. No security concerns identified.

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All Python files: urllib.request.Request() for HTTP POST
Environment	`READ`	`READ`	✓ Aligned	client_common.py:37 require_env() reads os.environ
Filesystem	`READ`	`READ`	✓ Aligned	client_common.py:101-112 load_session()/save_session() only touch .env and .sess…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
Skill Invoke	`NONE`	`NONE`	—	No dynamic skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No database access found

2 findings

🔗

Medium External URL 外部 URL

https://www.zhibianai.com

SKILL.md:39

🔗

Medium External URL 外部 URL

https://www.zhibianai.com/api/v1/clawhub

SKILL.md:40

File Tree

5 files · 18.9 KB · 606 lines

Python 4f · 464L Markdown 1f · 142L

├─ 🐍 chat_client.py Python 147L · 4.8 KB

├─ 🐍 client_common.py Python 180L · 5.2 KB

├─ 🐍 login_client.py Python 85L · 2.6 KB

├─ 🐍 send_code_client.py Python 52L · 1.5 KB

└─ 📝 SKILL.md Markdown 142L · 4.8 KB

Package	Version	Source	Known Vulns	Notes
`Python Standard Library`	`N/A`	stdlib	No	Uses only built-in modules: urllib, json, html, argparse, os, sys, socket

✓ Uses only Python standard library (urllib, json, html, argparse) - no external dependencies

✓ HTML escaping via html.escape() prevents XSS in text_to_html_payload()

✓ SKILL.md section 6 documents security constraints (script/style/iframe tag blocking)

✓ Bearer token authentication is standard practice for API security

✓ Session management writes only user_id/session_id, not sensitive credentials

✓ Proper error handling with standardized error responses

✓ Timeout configuration prevents indefinite hangs

✓ Input validation through argparse for all CLI parameters