cf-crawl 安全扫描报告 — 低风险 | ClawSafe

15 /100

cf-crawl

Crawl websites using Cloudflare Browser Rendering /crawl API

This is a legitimate Cloudflare Browser Rendering API crawler with properly documented credentials handling, no obfuscation, and all network traffic confined to the intended Cloudflare API endpoint.

技能名称cf-crawl

分析耗时51.3s

引擎pi

✓

可以安装

Skill is safe to use. Ensure credential file permissions are restricted (chmod 600) and consider pinning jq version in any environment setup.

安全发现 2 项

严重性	安全发现	位置
低危	Minor documentation inconsistency 文档欺骗 poll.sh is referenced in examples but not explicitly shown in Quick Start usage examples. Minor UX issue, not a security concern. `bash ~/clawd/skills/cf-crawl/scripts/poll.sh <job-id>` → Consider adding poll.sh to Quick Start examples for completeness	`SKILL.md:32`
低危	jq dependency not version-pinned 供应链 Scripts rely on jq being installed but do not pin a specific version or verify installation. `#!/usr/bin/env bash` → Add jq version check or document minimum version requirement	`scripts/crawl.sh:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	crawl.sh:line 218 - writes to --output file
网络访问	`READ`	`READ`	✓ 一致	crawl.sh:line 132,138 - GET/POST to Cloudflare API
命令执行	`WRITE`	`WRITE`	✓ 一致	All scripts use bash; required for CLI functionality
环境变量	`READ`	`READ`	✓ 一致	crawl.sh:line 21 - sources cloudflare-crawl.env
技能调用	`NONE`	`NONE`	—	No skill invocation observed
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No direct browser control; uses Cloudflare's rendering service
数据库	`NONE`	`NONE`	—	No database access

4 项发现

🔗

中危外部 URL 外部 URL

https://docs.example.com/

SKILL.md:58

🔗

中危外部 URL 外部 URL

https://big-site.com

SKILL.md:78

🔗

中危外部 URL 外部 URL

https://api.cloudflare.com/client/v4/accounts/

references/api-reference.md:5

🔗

中危外部 URL 外部 URL

https://api.cloudflare.com/client/v4/accounts/$

scripts/crawl.sh:31

目录结构

4 文件 · 14.0 KB · 448 行

Shell 2f · 270L Markdown 2f · 178L

├─ ▾ 📁 references

│ └─ 📝 api-reference.md Markdown 85L · 3.2 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 crawl.sh Shell 222L · 6.3 KB

│ └─ 🔧 poll.sh Shell 48L · 1.2 KB

└─ 📝 SKILL.md Markdown 93L · 3.4 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`curl`	`any`	system	否	Standard HTTP client
`jq`	`any`	system	否	JSON processor - version not pinned

安全亮点

✓ No obfuscation or base64-encoded payloads

✓ All network traffic confined to documented Cloudflare API endpoint

✓ No credential exfiltration - tokens only used for API authentication

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No environment variable enumeration (os.environ iteration)

✓ No remote script execution (curl|bash, wget|sh)

✓ Explicit credential documentation and storage location

✓ No reverse shell, C2, or data theft patterns

✓ Clean, readable shell scripts with proper error handling (set -euo pipefail)