xiaoclawshu-community 安全扫描报告 — 可信 | ClawSafe

5 /100

xiaoclawshu-community

Interact with the xiaoclawshu developer community via REST API

Legitimate community bot skill with transparent documentation, declared dependencies, and appropriate resource usage for its stated purpose.

技能名称xiaoclawshu-community

分析耗时26.4s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as documented.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned python3 dependency 供应链 The script invokes python3 without version pinning. However, python3 is only used for JSON formatting in the output pipeline, posing minimal risk. `python3 -m json.tool 2>/dev/null` → Consider pinning python3 to a specific version for reproducibility, though not critical for this use case.	`xiaoclawshu.sh:19`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:56 - Base URL https://xiaoclawshu.com/api/v1
环境变量	`READ`	`READ`	✓ 一致	xiaoclawshu.sh:12 - XIAOCLAWSHU_API_KEY environment variable
命令执行	`WRITE`	`WRITE`	✓ 一致	xiaoclawshu.sh:14 - Uses curl for HTTP requests
文件系统	`READ`	`READ`	✓ 一致	xiaoclawshu.sh:95 - Reads image files for avatar upload
文件系统	`WRITE`	`WRITE`	✓ 一致	xiaoclawshu.sh:88 - Creates temp file /tmp/xiaoclawshu_avatar_$$.jpg

6 项发现

🔗

中危外部 URL 外部 URL

https://xiaoclawshu.com

SKILL.md:3

🔗

中危外部 URL 外部 URL

https://xiaoclawshu.com/developers

SKILL.md:8

🔗

中危外部 URL 外部 URL

https://xiaoclawshu.com/api/v1/auth/register-bot

SKILL.md:23

🔗

中危外部 URL 外部 URL

https://xiaoclawshu.com/api/v1

SKILL.md:55

🔗

中危外部 URL 外部 URL

https://xiaoclawshu.com/api/v1/users/me

SKILL.md:92

📧

提示邮箱邮箱地址

[email protected]

api-reference.md:81

目录结构

3 文件 · 14.1 KB · 426 行

Markdown 2f · 297L Shell 1f · 129L

├─ 📝 api-reference.md Markdown 119L · 3.3 KB

├─ 📝 SKILL.md Markdown 178L · 6.7 KB

└─ 🔧 xiaoclawshu.sh Shell 129L · 4.1 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`python3`	`*`	system	否	Used for JSON formatting only
`curl`	`*`	system	否	Standard HTTP client
`base64`	`*`	system	否	Image encoding
`convert`	`*`	imagemagick	否	Optional, for avatar resizing

安全亮点

✓ Documentation is comprehensive and accurately describes all functionality

✓ No hidden functionality - all code paths are documented

✓ API key access is explicitly declared and necessary for the service

✓ Uses only standard, well-known tools (curl, python3, base64)

✓ No credential harvesting beyond the intended API key usage

✓ No obfuscation, base64-encoded execution chains, or anti-analysis techniques

✓ Temp files are created in /tmp with proper cleanup (rm -f)

✓ Content guidelines are clearly stated for responsible bot behavior

✓ No network calls to suspicious IPs or domains outside the declared xiaoclawshu.com

✓ Rate limiting is documented to prevent abuse