xiaoclawshu-community Security Report — Trusted | ClawSafe

5 /100

xiaoclawshu-community

Interact with the xiaoclawshu developer community via REST API

Legitimate community bot skill with transparent documentation, declared dependencies, and appropriate resource usage for its stated purpose.

Skill Namexiaoclawshu-community

Duration26.4s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as documented.

Findings 1 items

Severity	Finding	Location
Low	Unpinned python3 dependency Supply Chain The script invokes python3 without version pinning. However, python3 is only used for JSON formatting in the output pipeline, posing minimal risk. `python3 -m json.tool 2>/dev/null` → Consider pinning python3 to a specific version for reproducibility, though not critical for this use case.	`xiaoclawshu.sh:19`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:56 - Base URL https://xiaoclawshu.com/api/v1
Environment	`READ`	`READ`	✓ Aligned	xiaoclawshu.sh:12 - XIAOCLAWSHU_API_KEY environment variable
Shell	`WRITE`	`WRITE`	✓ Aligned	xiaoclawshu.sh:14 - Uses curl for HTTP requests
Filesystem	`READ`	`READ`	✓ Aligned	xiaoclawshu.sh:95 - Reads image files for avatar upload
Filesystem	`WRITE`	`WRITE`	✓ Aligned	xiaoclawshu.sh:88 - Creates temp file /tmp/xiaoclawshu_avatar_$$.jpg

6 findings

🔗

Medium External URL 外部 URL

https://xiaoclawshu.com

SKILL.md:3

🔗

Medium External URL 外部 URL

https://xiaoclawshu.com/developers

SKILL.md:8

🔗

Medium External URL 外部 URL

https://xiaoclawshu.com/api/v1/auth/register-bot

SKILL.md:23

🔗

Medium External URL 外部 URL

https://xiaoclawshu.com/api/v1

SKILL.md:55

🔗

Medium External URL 外部 URL

https://xiaoclawshu.com/api/v1/users/me

SKILL.md:92

📧

Info Email 邮箱地址

[email protected]

api-reference.md:81

File Tree

3 files · 14.1 KB · 426 lines

Markdown 2f · 297L Shell 1f · 129L

├─ 📝 api-reference.md Markdown 119L · 3.3 KB

├─ 📝 SKILL.md Markdown 178L · 6.7 KB

└─ 🔧 xiaoclawshu.sh Shell 129L · 4.1 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`python3`	`*`	system	No	Used for JSON formatting only
`curl`	`*`	system	No	Standard HTTP client
`base64`	`*`	system	No	Image encoding
`convert`	`*`	imagemagick	No	Optional, for avatar resizing

Security Positives

✓ Documentation is comprehensive and accurately describes all functionality

✓ No hidden functionality - all code paths are documented

✓ API key access is explicitly declared and necessary for the service

✓ Uses only standard, well-known tools (curl, python3, base64)

✓ No credential harvesting beyond the intended API key usage

✓ No obfuscation, base64-encoded execution chains, or anti-analysis techniques

✓ Temp files are created in /tmp with proper cleanup (rm -f)

✓ Content guidelines are clearly stated for responsible bot behavior

✓ No network calls to suspicious IPs or domains outside the declared xiaoclawshu.com

✓ Rate limiting is documented to prevent abuse

Scan Report

Findings 1 items

File Tree

Dependencies 4 items

Security Positives