nuomi-xhs-card 安全扫描报告 — 可信 | ClawSafe

5 /100

nuomi-xhs-card

Local Markdown/MDX to Xiaohongshu-style card image generator with 24 themes, light/dark modes, and intelligent pagination

This is a legitimate local Markdown-to-image card renderer with no malicious behavior. All functionality is properly documented and implemented using standard Node.js tooling (Playwright, React, unified ecosystem).

技能名称nuomi-xhs-card

分析耗时45.3s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 2 项

严重性	安全发现	位置
低危	Remote image fetching in weChat mode The weChat mode option fetches remote images and converts them to data URLs. This network access is not documented in SKILL.md. `const response = await fetch(url, {...})` → Add documentation for --wechat-mode option including its network access behavior	`scripts/src/core/structure.ts:22`
提示	Standard Playwright browser installation setup.sh installs Playwright chromium browser via npx. This is standard practice and not a security concern. `npx --prefix "${SCRIPT_DIR}" playwright install chromium` → No action needed - this is expected behavior for browser automation tools	`scripts/setup.sh:14`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	Reads markdown, writes PNG outputs and report JSON
网络访问	`NONE`	`READ`	✓ 一致	scripts/src/core/structure.ts:22 - fetch() for remote images in weChat mode
命令执行	`WRITE`	`WRITE`	✓ 一致	scripts/setup.sh uses npm ci/install and npx playwright install

2 项发现

🔗

中危外部 URL 外部 URL

http://www.w3.org/2000/svg

assets/templates/alibaba.html:180

🔗

中危外部 URL 外部 URL

https://opencollective.com/unified

scripts/package-lock.json:511

目录结构

44 文件 · 472.2 KB · 18462 行

HTML 24f · 13133L JSON 3f · 3230L TypeScript 10f · 1611L Markdown 5f · 459L Shell 1f · 17L JavaScript 1f · 12L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 templates

│ │ ├─ 📄 alibaba.html HTML 533L · 14.5 KB

│ │ ├─ 📄 apple-notes.html HTML 251L · 6.0 KB

│ │ ├─ 📄 art-deco.html HTML 708L · 17.9 KB

│ │ ├─ 📄 business.html HTML 495L · 10.8 KB

│ │ ├─ 📄 bytedance.html HTML 576L · 15.8 KB

│ │ ├─ 📄 coil-notebook.html HTML 303L · 6.7 KB

│ │ ├─ 📄 cyberpunk.html HTML 1120L · 24.4 KB

│ │ ├─ 📄 darktech.html HTML 672L · 14.2 KB

│ │ ├─ 📄 dreamy.html HTML 471L · 9.8 KB

│ │ ├─ 📄 fairytale.html HTML 618L · 13.5 KB

│ │ ├─ 📄 glassmorphism.html HTML 655L · 15.0 KB

│ │ ├─ 📄 instagram.html HTML 508L · 12.1 KB

│ │ ├─ 📄 japanese-magazine.html HTML 596L · 12.8 KB

│ │ ├─ 📄 meadow-dawn.html HTML 393L · 8.4 KB

│ │ ├─ 📄 minimal.html HTML 408L · 8.2 KB

│ │ ├─ 📄 minimalist.html HTML 481L · 9.9 KB

│ │ ├─ 📄 nature.html HTML 440L · 8.6 KB

│ │ ├─ 📄 notebook.html HTML 582L · 12.4 KB

│ │ ├─ 📄 pop-art.html HTML 583L · 15.2 KB

│ │ ├─ 📄 traditional-chinese.html HTML 590L · 13.0 KB

│ │ ├─ 📄 typewriter.html HTML 605L · 14.9 KB

│ │ ├─ 📄 warm.html HTML 426L · 9.0 KB

│ │ ├─ 📄 watercolor.html HTML 587L · 12.4 KB

│ │ └─ 📄 xiaohongshu.html HTML 532L · 10.9 KB

│ └─ 📝 preview-template.md Markdown 8L · 226 B

├─ ▾ 📁 references

│ ├─ 📝 cli-reference.md Markdown 143L · 3.2 KB

│ └─ 📝 templates.md Markdown 128L · 4.2 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 browser

│ │ │ └─ 📜 page.tsx TypeScript 26L · 796 B

│ │ ├─ ▾ 📁 core

│ │ │ ├─ 📜 markdown.ts TypeScript 80L · 2.2 KB

│ │ │ ├─ 📜 paginate.ts TypeScript 539L · 14.7 KB

│ │ │ ├─ 📜 preview.ts TypeScript 69L · 2.1 KB

│ │ │ ├─ 📜 render.ts TypeScript 91L · 2.7 KB

│ │ │ ├─ 📜 structure.ts TypeScript 102L · 3.0 KB

│ │ │ ├─ 📜 template.ts TypeScript 175L · 4.4 KB

│ │ │ ├─ 📜 themes.ts TypeScript 181L · 4.8 KB

│ │ │ └─ 📜 types.ts TypeScript 97L · 1.9 KB

│ │ └─ 📜 cli.ts TypeScript 251L · 8.0 KB

│ ├─ 📋 package-lock.json JSON 3178L · 114.0 KB

│ ├─ 📋 package.json JSON 37L · 1.0 KB

│ ├─ 🔧 setup.sh Shell 17L · 397 B

│ ├─ 📋 tsconfig.json JSON 15L · 354 B

│ └─ 📜 xhs-card.cjs JavaScript 12L · 451 B

├─ 📝 SKILL.md Markdown 100L · 3.5 KB

└─ 📝 test.md Markdown 80L · 4.1 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`playwright`	`^1.55.0`	npm	否	Standard browser automation tool
`@mdx-js/mdx`	`^3.1.1`	npm	否	Official MDX processor
`react`	`^19.1.1`	npm	否	Standard UI library
`cheerio`	`^1.1.2`	npm	否	Standard HTML parser
`unified`	`^11.0.5`	npm	否	Standard Markdown processor

安全亮点

✓ No credential harvesting or environment variable access for secrets

✓ No exfiltration of user data or system information

✓ No reverse shell, C2, or command-and-control functionality

✓ No base64-encoded shell commands or obfuscated payloads

✓ No hidden JavaScript in HTML templates (pure CSS styling)

✓ Network fetch() is only for converting remote images to data URLs in weChat mode

✓ Uses well-established, audited packages (React, Playwright, unified, cheerio)

✓ All shell commands (npm install, playwright install) are standard tooling

✓ Local file operations are scoped to user-specified input/output paths