fanli 安全扫描报告 — 低风险 | ClawSafe

12 /100

fanli

商品转链与跨平台比价助手

Legitimate shopping assistant skill for converting product links to affiliate links and comparing prices across platforms. All capabilities are documented and aligned with expected behavior.

技能名称fanli

分析耗时36.6s

引擎pi

✓

可以安装

Safe to use. The skill requires FX_AI_API_KEY for fenxiang-ai platform authentication and sends product links to an external API for processing, which is expected functionality.

安全发现 2 项

严重性	安全发现	位置
低危	Documentation inconsistency README.md states 'Python 3' and 'curl' as dependencies, but actual scripts are Node.js (ES modules with .mjs extension). SKILL.md correctly specifies 'Node.js 18+'. `- Python 3 - curl` → Update README.md to reflect Node.js 18+ dependency instead of Python 3 and curl	`README.md:70`
提示	External dependency on fx-base Script imports fx-api.mjs from fx-base sibling directory. If fx-base is compromised, this skill could be affected. `const _fxApiPath = join(_scriptDir, '../../fx-base/scripts/fx-api.mjs')` → Ensure fx-base is from a trusted source and verified	`scripts/convert.mjs:11`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	Bash(node {baseDir}/scripts/run.mjs:*) - uses spawn for Node.js script execution
文件系统	`READ`	`READ`	✓ 一致	Read({baseDir}/**) - reads templates and reference files
网络访问	`READ`	`READ`	✓ 一致	Makes API calls to api-ai-brain.fenxianglife.com - declared in SKILL.md
环境变量	`READ`	`READ`	✓ 一致	Accesses FX_AI_API_KEY - declared in metadata.requires.env

10 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-fanli-blue

README.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.ai/fangshan101-coder/fanli

README.md:3

🔗

中危外部 URL 外部 URL

https://platform.fenxiang-ai.com/docs

README.md:21

🔗

中危外部 URL 外部 URL

https://u.jd.com/xxx

README.md:40

🔗

中危外部 URL 外部 URL

https://platform.fenxiang-ai.com/

SKILL.md:24

🔗

中危外部 URL 外部 URL

https://api-ai-brain.fenxianglife.com

SKILL.md:25

🔗

中危外部 URL 外部 URL

https://e.tb.cn/h.iWHhFu8oHNytYbb

references/convert-output.md:91

🔗

中危外部 URL 外部 URL

https://img.alicdn.com/bao/uploaded/i3/3937219703/O1CN01C9uNI52LY28zuHGyn.jpg

references/convert-output.md:101

🔗

中危外部 URL 外部 URL

https://s.click.taobao.com/na6oIkm

references/convert-output.md:117

🔗

中危外部 URL 外部 URL

https://e.tb.cn/h.xxx

scripts/compare-price.mjs:34

目录结构

7 文件 · 23.0 KB · 731 行

Markdown 4f · 371L JavaScript 3f · 360L

├─ ▾ 📁 references

│ ├─ 📝 compare-price-output.md Markdown 39L · 1.1 KB

│ └─ 📝 convert-output.md Markdown 148L · 4.5 KB

├─ ▾ 📁 scripts

│ ├─ 📜 compare-price.mjs JavaScript 116L · 3.6 KB

│ ├─ 📜 convert.mjs JavaScript 112L · 3.3 KB

│ └─ 📜 run.mjs JavaScript 132L · 3.9 KB

├─ 📝 README.md Markdown 87L · 2.0 KB

└─ 📝 SKILL.md Markdown 97L · 4.6 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`fx-base`	`*`	local sibling directory	否	External library imported at runtime
`Node.js 18+`	`18+`	system	否	Built-in fetch API used for HTTP requests

安全亮点

✓ All capabilities declared in SKILL.md match actual implementation

✓ No credential harvesting beyond required API key (expected for authentication)

✓ No data exfiltration beyond normal API functionality

✓ No base64, eval, or suspicious code patterns detected

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Data flow clearly documented (product links → external API)

✓ No remote script execution (curl|bash, wget|sh patterns)

✓ Error handling properly implemented with user-friendly messages