business-opportunity-screenshot Security Report — Low Risk | ClawSafe

18 /100

business-opportunity-screenshot

生成商机发现Skills推荐报告，并用Chromium打开页面进行全页滚动截屏保存

功能正常的商机报告生成工具，存在文档描述宽泛和硬编码路径问题，但无恶意行为证据

Skill Namebusiness-opportunity-screenshot

Duration58.1s

Enginepi

✓

Safe to install

建议在 SKILL.md 中明确声明 shell 命令执行能力和硬编码路径范围

Findings 3 items

Severity	Finding	Location
Medium	文档声明与实际行为存在偏差 Doc Mismatch SKILL.md描述为'调用 ClawHub API 搜索'，但代码通过execSync执行shell命令调用clawhub CLI工具，pkill命令完全未提及 `execSync(command, { stdio: 'pipe', encoding: 'utf8', timeout: 15000 })` → 在文档中明确声明通过shell命令执行clawhub CLI及进程清理操作	`scripts/screenshot.js:62`
Medium	硬编码工作区路径未声明 Sensitive Access 代码硬编码路径/home/xiaoduo/.openclaw/workspace-product用于存储HTML报告和截图，该路径未在文档中声明 `const WORKSPACE = '/home/xiaoduo/.openclaw/workspace-product';` → 使用环境变量或配置参数替代硬编码路径，或在文档中明确声明	`scripts/screenshot.js:9`
Low	npm依赖无版本锁定 Supply Chain package.json中puppeteer-core使用^24.39.1通配符版本，可能引入依赖供应链风险 `"puppeteer-core": "^24.39.1"` → 考虑使用精确版本号或package-lock.json确保依赖稳定性	`package.json:14`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/screenshot.js:189 fs.writeFileSync 生成HTML报告
Shell	`NONE`	`WRITE`	✗ Violation	scripts/screenshot.js:62 execSync执行clawhub/pkill命令
Network	`READ`	`READ`	✓ Aligned	scripts/screenshot.js:clawhub CLI API调用
Browser	`WRITE`	`WRITE`	✓ Aligned	scripts/screenshot.js:318 puppeteer连接Chromium截屏

82 findings

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@puppeteer/browsers/-/browsers-2.13.0.tgz

package-lock.json:17

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@tootallnate/quickjs-emscripten/-/quickjs-emscripten-0.23.0.tgz

package-lock.json:38

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/node/-/node-25.5.0.tgz

package-lock.json:44

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/yauzl/-/yauzl-2.10.3.tgz

package-lock.json:54

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/agent-base/-/agent-base-7.1.4.tgz

package-lock.json:64

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ansi-regex/-/ansi-regex-5.0.1.tgz

package-lock.json:73

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ansi-styles/-/ansi-styles-4.3.0.tgz

package-lock.json:82

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ast-types/-/ast-types-0.13.4.tgz

package-lock.json:97

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/b4a/-/b4a-1.8.0.tgz

package-lock.json:109

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bare-events/-/bare-events-2.8.2.tgz

package-lock.json:123

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bare-fs/-/bare-fs-4.5.5.tgz

package-lock.json:137

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bare-os/-/bare-os-3.8.0.tgz

package-lock.json:161

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bare-path/-/bare-path-3.0.0.tgz

package-lock.json:170

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bare-stream/-/bare-stream-2.8.1.tgz

package-lock.json:179

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bare-url/-/bare-url-2.3.2.tgz

package-lock.json:201

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/basic-ftp/-/basic-ftp-5.2.0.tgz

package-lock.json:210

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/buffer-crc32/-/buffer-crc32-0.2.13.tgz

package-lock.json:219

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/chromium-bidi/-/chromium-bidi-14.0.0.tgz

package-lock.json:228

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cliui/-/cliui-8.0.1.tgz

package-lock.json:241

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/color-convert/-/color-convert-2.0.1.tgz

package-lock.json:255

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/color-name/-/color-name-1.1.4.tgz

package-lock.json:267

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/data-uri-to-buffer/-/data-uri-to-buffer-6.0.2.tgz

package-lock.json:273

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz

package-lock.json:282

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/degenerator/-/degenerator-5.0.1.tgz

package-lock.json:299

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/devtools-protocol/-/devtools-protocol-0.0.1581282.tgz

package-lock.json:313

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/emoji-regex/-/emoji-regex-8.0.0.tgz

package-lock.json:319

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/end-of-stream/-/end-of-stream-1.4.5.tgz

package-lock.json:325

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/escalade/-/escalade-3.2.0.tgz

package-lock.json:334

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/escodegen/-/escodegen-2.1.0.tgz

package-lock.json:343

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/esprima/-/esprima-4.0.1.tgz

package-lock.json:364

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/estraverse/-/estraverse-5.3.0.tgz

package-lock.json:377

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/esutils/-/esutils-2.0.3.tgz

package-lock.json:386

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/events-universal/-/events-universal-1.0.1.tgz

package-lock.json:395

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/extract-zip/-/extract-zip-2.0.1.tgz

package-lock.json:404

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fast-fifo/-/fast-fifo-1.3.2.tgz

package-lock.json:424

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fd-slicer/-/fd-slicer-1.1.0.tgz

package-lock.json:430

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-caller-file/-/get-caller-file-2.0.5.tgz

package-lock.json:439

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-stream/-/get-stream-5.2.0.tgz

package-lock.json:448

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-uri/-/get-uri-6.0.5.tgz

package-lock.json:463

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz

package-lock.json:477

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz

package-lock.json:490

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ip-address/-/ip-address-10.1.0.tgz

package-lock.json:503

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz

package-lock.json:512

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/lru-cache/-/lru-cache-7.18.3.tgz

package-lock.json:521

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mitt/-/mitt-3.0.1.tgz

package-lock.json:530

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz

package-lock.json:536

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/netmask/-/netmask-2.0.2.tgz

package-lock.json:542

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/once/-/once-1.4.0.tgz

package-lock.json:551

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/pac-proxy-agent/-/pac-proxy-agent-7.2.0.tgz

package-lock.json:560

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/pac-resolver/-/pac-resolver-7.0.1.tgz

package-lock.json:579

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/pend/-/pend-1.2.0.tgz

package-lock.json:592

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/progress/-/progress-2.0.3.tgz

package-lock.json:598

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-agent/-/proxy-agent-6.5.0.tgz

package-lock.json:607

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz

package-lock.json:626

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/pump/-/pump-3.0.4.tgz

package-lock.json:632

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/puppeteer-core/-/puppeteer-core-24.39.1.tgz

package-lock.json:642

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/require-directory/-/require-directory-2.1.1.tgz

package-lock.json:660

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/semver/-/semver-7.7.4.tgz

package-lock.json:669

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/smart-buffer/-/smart-buffer-4.2.0.tgz

package-lock.json:681

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/socks/-/socks-2.8.7.tgz

package-lock.json:691

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/socks-proxy-agent/-/socks-proxy-agent-8.0.5.tgz

package-lock.json:705

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/source-map/-/source-map-0.6.1.tgz

package-lock.json:719

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/streamx/-/streamx-2.23.0.tgz

package-lock.json:729

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/string-width/-/string-width-4.2.3.tgz

package-lock.json:740

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/strip-ansi/-/strip-ansi-6.0.1.tgz

package-lock.json:754

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/tar-fs/-/tar-fs-3.1.2.tgz

package-lock.json:766

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/tar-stream/-/tar-stream-3.1.8.tgz

package-lock.json:780

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/teex/-/teex-1.0.1.tgz

package-lock.json:792

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/text-decoder/-/text-decoder-1.2.7.tgz

package-lock.json:801

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/tslib/-/tslib-2.8.1.tgz

package-lock.json:810

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/typed-query-selector/-/typed-query-selector-2.12.1.tgz

package-lock.json:816

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/undici-types/-/undici-types-7.18.2.tgz

package-lock.json:822

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/webdriver-bidi-protocol/-/webdriver-bidi-protocol-0.4.1.tgz

package-lock.json:829

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz

package-lock.json:835

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz

package-lock.json:852

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ws/-/ws-8.19.0.tgz

package-lock.json:858

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/y18n/-/y18n-5.0.8.tgz

package-lock.json:879

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/yargs/-/yargs-17.7.2.tgz

package-lock.json:888

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/yargs-parser/-/yargs-parser-21.1.1.tgz

package-lock.json:906

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/yauzl/-/yauzl-2.10.0.tgz

package-lock.json:915

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/zod/-/zod-3.25.76.tgz

package-lock.json:925

🔗

Medium External URL 外部 URL

https://clawhub.com

scripts/screenshot.js:300

File Tree

4 files · 52.3 KB · 1501 lines

JSON 2f · 949L JavaScript 1f · 445L Markdown 1f · 107L

├─ ▾ 📁 scripts

│ └─ 📜 screenshot.js JavaScript 445L · 16.5 KB

├─ 📋 package-lock.json JSON 933L · 33.0 KB

├─ 📋 package.json JSON 16L · 325 B

└─ 📝 SKILL.md Markdown 107L · 2.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`puppeteer-core`	`^24.39.1`	npm	No	无精确版本锁定，建议固定版本

Security Positives

✓ 代码结构清晰，注释完整

✓ 无凭证收割、环境变量遍历等敏感操作

✓ 无base64编码或命令注入迹象

✓ 无数据外泄或C2通信行为

✓ 使用puppeteer-core而非完整puppeteer（避免下载Chromium）

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives