vipshop-product-search Security Report — Low Risk | ClawSafe

15 /100

vipshop-product-search

唯品会商品搜索技能 - 在vip.com搜索商品、比价、找折扣

Legitimate VIP.com product search skill using official APIs with proper token management and no malicious indicators.

Skill Namevipshop-product-search

Duration25.3s

Enginepi

✓

Safe to install

Approve for use. The skill performs standard e-commerce product search functionality with no credential exfiltration or suspicious network behavior.

Findings 3 items

Severity	Finding	Location
Info	Hardcoded IP placeholder Pre-scan flagged '120.0.0.0' as hardcoded IP. Code analysis shows this is a mars_cid (device tracking ID) placeholder, not an active malicious connection. No exfiltration observed. `mars_cid = ''` → No action required - this is standard tracking identifier, not malicious.	`scripts/search.py:59`
Info	Token storage in user home directory The skill stores session tokens in ~/.vipshop-user-login/tokens.json. This is appropriate for managing VIP.com authentication. `token_file = Path.home() / '.vipshop-user-login' / 'tokens.json'` → No action required - standard token management pattern.	`scripts/search.py:22`
Info	Uses only Python standard library The skill uses only Python standard library modules (urllib, json, pathlib). No external dependencies required, reducing supply chain risk. `import sys, json, urllib.request, urllib.parse` → Positive security feature - minimizes dependency attack surface.	`scripts/search.py:1`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Executes python3 scripts/search.py
Filesystem	`READ`	`READ`	✓ Aligned	scripts/search.py: Reads ~/.vipshop-user-login/tokens.json
Network	`READ`	`READ`	✓ Aligned	scripts/search.py: Makes API calls to mapi-pc.vip.com

1 High 9 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/search.py:59

🔗

Medium External URL 外部 URL

https://detail.vip.com/detail-1710613281-6920685689731485274.html

README.md:136

🔗

Medium External URL 外部 URL

https://h2.appsimg.com/xxx.jpg

README.md:138

🔗

Medium External URL 外部 URL

https://detail.vip.com/...

README.md:173

🔗

Medium External URL 外部 URL

https://mapi-pc.vip.com/vips-mobile/rest/shopping/skill/search/product/rank

README.md:410

🔗

Medium External URL 外部 URL

https://mapi-pc.vip.com/vips-mobile/rest/shopping/skill/product/module/list/v2

README.md:417

🔗

Medium External URL 外部 URL

https://www.vip.com/

scripts/search.py:62

🔗

Medium External URL 外部 URL

https://www.vip.com

scripts/search.py:63

🔗

Medium External URL 外部 URL

https://detail.vip.com/detail-

scripts/search.py:214

File Tree

3 files · 41.9 KB · 1086 lines

Markdown 2f · 680L Python 1f · 406L

├─ ▾ 📁 scripts

│ └─ 🐍 search.py Python 406L · 12.7 KB

├─ 📝 README.md Markdown 503L · 20.0 KB

└─ 📝 SKILL.md Markdown 177L · 9.2 KB

Security Positives

✓ Uses only Python standard library (urllib, json, pathlib) - no external dependencies

✓ Makes requests to official VIP.com API endpoints (mapi-pc.vip.com)

✓ Token management is standard and documented

✓ No credential exfiltration observed

✓ No base64/eval/exec patterns found

✓ No curl|bash or remote script execution

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ SKILL.md accurately declares all capabilities

Scan Report

Findings 3 items

File Tree

Security Positives