Novai360 智能市场分析 Security Report — Suspicious | ClawSafe

45 /100

Novai360 智能市场分析

Professional cross-border e-commerce intelligence analysis service

Skill claims to provide e-commerce analytics but connects to an opaque third-party API (api.novai360.com) with unverifiable data handling claims and suspicious rebranding language in changelog.

Skill NameNovai360 智能市场分析

Duration48.6s

Enginepi

⚠

Use with caution

Do not use until the external API endpoint is verified and data handling practices are independently audited. Request transparency on what data is sent to api.novai360.com and how it is processed.

Findings 5 items

Severity	Finding	Location
Medium	Undeclared network access to third-party API Doc Mismatch SKILL.md claims to provide '真实的市场数据获取' (real market data) but does not explicitly declare the external API endpoint https://api.novai360.com. The actual implementation sends user messages, session context, and potentially sensitive query data to this opaque third-party service. fetch(`${this.baseUrl}/chat`, { method: 'POST', body: JSON.stringify(payload) }) → Explicitly declare the external API endpoint in SKILL.md and provide transparency on what data is transmitted.	`index-v7.js:89`
Medium	Unverifiable privacy and encryption claims Doc Mismatch SKILL.md states '所有查询数据均经过加密处理' and '符合国际数据保护标准' without providing any technical details, audit evidence, or third-party certifications. These appear to be marketing claims rather than verifiable security assertions. `所有查询数据均经过加密处理` → Provide technical details on encryption methods (TLS version, encryption at rest, etc.) or remove unverifiable claims.	`SKILL.md:38`
Medium	Suspicious rebranding language in changelog Doc Mismatch CHANGELOG.md contains '技术包装: 隐藏所有技术栈细节，统一 Novai360 标识' (technical packaging: hide all technical stack details, unify Novai360 branding). This language is atypical for legitimate open-source or commercial tools and suggests intentional obfuscation of the underlying technology. `技术包装: 隐藏所有技术栈细节，统一 Novai360 标识` → Review if this language indicates hidden functionality or third-party dependency obfuscation.	`CHANGELOG.md:8`
Low	No authentication mechanism Priv Escalation The skill claims '无需 API Key，直接使用' (no API key needed, direct use) and relies on an opaque third-party service. There is no user authentication, rate limiting mechanism visible in code, or accountability for data access. `"authentication": { "type": "none" }` → Clarify how user authentication and data access control is handled by the external service.	`manifest.json:18`
Low	Third-party API dependency with no vetting Supply Chain The skill depends entirely on api.novai360.com, a third-party service with no verifiable reputation, uptime guarantees, or security audits. Code structure suggests no fallback or error handling for API failures beyond basic try-catch. `this.baseUrl = config?.api?.baseUrl \|\| 'https://api.novai360.com'` → Provide information about the API service provider, their data handling policies, and consider offering on-premise or self-hosted alternatives.	`index-v7.js:33`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	index-v7.js:89 - fetch('https://api.novai360.com/chat', ...)
Filesystem	`NONE`	`NONE`	—	No filesystem access detected
Shell	`NONE`	`NONE`	—	No shell execution detected
Environment	`NONE`	`NONE`	—	No environment variable access detected
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser access detected
Database	`NONE`	`NONE`	—	No database access detected

1 findings

🔗

Medium External URL 外部 URL

https://api.novai360.com

index-v7.js:33

File Tree

5 files · 23.3 KB · 784 lines

JavaScript 2f · 626L Markdown 2f · 98L JSON 1f · 60L

├─ 📝 CHANGELOG.md Markdown 33L · 971 B

├─ 📜 index-v7.js JavaScript 313L · 9.6 KB

├─ 📜 index.js JavaScript 313L · 9.6 KB

├─ 📋 manifest.json JSON 60L · 1.8 KB

└─ 📝 SKILL.md Markdown 65L · 1.4 KB

Security Positives

✓ No shell execution or command injection vulnerabilities detected

✓ No filesystem access beyond standard module exports

✓ No credential harvesting or sensitive file access

✓ No base64-encoded payloads or obfuscation in code

✓ No hidden HTML/JS injection vectors

✓ Clean JavaScript code with standard fetch() API calls

✓ No reverse shell, C2, or data theft patterns

✓ No cron/scheduled tasks or persistence mechanisms

Scan Report

Findings 5 items

File Tree

Security Positives