中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:2 天前 重新扫描
20 /100
douyin-comment-auto-reply
Douyin comment operations workflow for your own account videos. Use when the user wants to collect, classify, draft, review, or semi-automate replies to comments under their own Douyin videos.
Legitimate Douyin comment management tool with minor documentation gaps regarding shell execution capability.
技能名称douyin-comment-auto-reply
分析耗时50.7s
引擎pi
可以安装
Add explicit shell:WRITE declaration to SKILL.md if browser_reply_runner.py subprocess usage is intentional. Otherwise, consider using a non-shell subprocess method for browser automation.

安全发现 3 项

严重性 安全发现 位置
中危
Undeclared shell execution capability
browser_reply_runner.py uses subprocess.run() with shell=True to execute browser commands (npx agent-browser). This shell:WRITE capability is not declared in SKILL.md or allowed-tools.
subprocess.run(cmd, shell=True, check=True)
→ Declare shell:WRITE in SKILL.md if shell execution is intentional for browser automation.
 scripts/browser_reply_runner.py:18
中危
Undeclared network access
The skill opens external URLs (https://creator.douyin.com) via browser automation but does not declare network:READ in allowed-tools.
open_cmd = f"{args.browser_cmd} ... open {shlex.quote(args.url)}"
→ Declare network:READ if browser-based URL access is part of the intended functionality.
 scripts/browser_reply_runner.py:43
低危
Documentation gap for capability mapping
SKILL.md mentions scripts/batch_comment_drafts.py and scripts/browser_reply_runner.py but does not explicitly map their underlying capabilities (shell, network, browser).
python3 scripts/browser_reply_runner.py ./comments.drafts.json
→ Add a 'Capabilities' or 'Technical Implementation' section to SKILL.md explaining the required tool permissions.
 SKILL.md:155
资源类型声明权限推断权限状态证据
文件系统 READ,WRITE READ,WRITE ✓ 一致 SKILL.md: Declares Read/Write; batch_comment_drafts.py: CSV read, JSON write; br…
命令执行 NONE WRITE ✗ 越权 browser_reply_runner.py:18 - subprocess.run(cmd, shell=True, check=True)
网络访问 NONE READ ✗ 越权 browser_reply_runner.py:43 - opens external URL via browser command
环境变量 NONE NONE No os.environ access detected
浏览器 NONE WRITE ✗ 越权 browser_reply_runner.py: Uses npx agent-browser for fill/click operations
1 项发现
🔗
中危 外部 URL 外部 URL
https://creator.douyin.com/creator-micro/content/manage
SKILL.md:186

目录结构

11 文件 · 24.3 KB · 751 行
Markdown 5f · 498L Python 2f · 171L JSON 3f · 77L CSV 1f · 5L
├─ 📁 references
│ ├─ 📝 automation-roadmap.md Markdown 63L · 1.7 KB
│ ├─ 📝 douyin-lead-gen-template.md Markdown 66L · 1.6 KB
│ └─ 📝 playbook.md Markdown 134L · 3.7 KB
├─ 📁 scripts
│ ├─ 🐍 batch_comment_drafts.py Python 96L · 4.0 KB
│ ├─ 🐍 browser_reply_runner.py Python 75L · 3.0 KB
│ ├─ 📄 comment_batch_template.csv CSV 5L · 333 B
│ ├─ 📋 comment_batch_template.drafts.json JSON 41L · 1.5 KB
│ ├─ 📋 comment_batch_template.drafts.sent-log.json JSON 16L · 566 B
│ ├─ 📋 reply_drafts_example.json JSON 20L · 778 B
│ └─ 📝 reply_execution_plan.md Markdown 26L · 761 B
└─ 📝 SKILL.md Markdown 209L · 6.3 KB

安全亮点

✓ No credential harvesting or sensitive data access
✓ No data exfiltration to external servers
✓ No base64 encoding or obfuscation patterns
✓ No remote script execution (curl|bash)
✓ Uses only standard Python libraries (csv, json, re, sys, pathlib, subprocess, argparse, shlex, time)
✓ Legitimate business use case for managing own Douyin account comments
✓ Includes --dry-run safety flag for browser automation
✓ Browser targets legitimate Douyin creator platform URL
✓ Includes sent-log for audit trail
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)