携程笔记全自动发布 Security Report — Low Risk | ClawSafe

22 /100

携程笔记全自动发布

携程内容中心全自动发布技能，支持从 Bing Images 搜索高清无版权图片、自动填写标题正文、自动上传图片、自动选择目的地、自动点击发布

The skill implements legitimate Ctrip auto-publishing via Chrome browser automation, but makes undeclared use of AppleScript shell execution and has documentation mismatch regarding CDP protocol vs osascript implementation.

Skill Name携程笔记全自动发布

Duration35.5s

Enginepi

✓

Safe to install

Declare shell:WRITE permission in SKILL.md if AppleScript/subprocess usage is intentional; align SKILL.md's stated CDP WebSocket approach with the actual osascript implementation; pin Playwright dependency in publish.sh.

Findings 3 items

Severity	Finding	Location
Medium	Undeclared shell execution via osascript Doc Mismatch Both auto_fill.py and ctrip_auto_publish.py use subprocess.run() to execute osascript commands for Chrome browser control. This is shell:WRITE behavior that is not declared anywhere in SKILL.md, which only mentions CDP WebSocket protocol. `subprocess.run(['osascript', '-e', script], capture_output=True, text=True)` → Add shell:WRITE to the declared capability map in SKILL.md if AppleScript subprocess is a core mechanism.	`scripts/ctrip_auto_publish.py:52`
Medium	SKILL.md claims CDP WebSocket but code uses AppleScript Doc Mismatch SKILL.md section '技术实现' states '使用 OpenClaw 浏览器自动化 + CDP 协议' and provides a CDP WebSocket upload example. However, all Python scripts actually use osascript subprocess calls to control Chrome via AppleScript DOM scripting, not CDP. This is a documentation mismatch. `使用 OpenClaw 浏览器自动化 + CDP 协议` → Update SKILL.md to accurately describe the AppleScript-based browser automation approach, or refactor scripts to use the stated CDP WebSocket method.	`SKILL.md:42`
Low	Unpinned Playwright dependency in publish.sh Supply Chain publish.sh runs 'pip3 install playwright' without version pinning or a requirements.txt, which could result in installing a different version with different behavior or known vulnerabilities. `pip3 install playwright` → Pin Playwright version: pip3 install playwright==x.x.x	`scripts/publish.sh:14`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md and scripts/write target /tmp/openclaw/uploads/ and ~/.qclaw/workspace/
Network	`READ`	`READ`	✓ Aligned	SKILL.md; scripts access Bing Images and Ctrip URLs
Browser	`READ`	`READ`	✓ Aligned	SKILL.md; scripts control Chrome via osascript DOM manipulation
Shell	`NONE`	`WRITE`	✗ Violation	auto_fill.py:14 subprocess.run(['osascript']); ctrip_auto_publish.py:37+52+69 su…
Environment	`NONE`	`NONE`	—	No env var access observed
Clipboard	`NONE`	`NONE`	—	No clipboard access observed
Database	`NONE`	`NONE`	—	No database access observed
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation observed

5 findings

🔗

Medium External URL 外部 URL

https://we.ctrip.com/publish/publishPictureText

SKILL.md:65

🔗

Medium External URL 外部 URL

https://we.ctrip.com/publish/publishHome

SKILL.md:170

🔗

Medium External URL 外部 URL

https://we.ctrip.com/publish/contentManagement

SKILL.md:171

🔗

Medium External URL 外部 URL

https://we.ctrip.com/publish/detail?articleType=1

scripts/publish.py:15

🔗

Medium External URL 外部 URL

https://we.ctrip.com/publish/detail?articleType=2

scripts/publish.py:16

File Tree

7 files · 26.4 KB · 885 lines

Python 4f · 684L Markdown 1f · 170L Shell 1f · 21L JSON 1f · 10L

├─ ▾ 📁 scripts

│ ├─ 🐍 auto_fill.py Python 169L · 5.2 KB

│ ├─ 🐍 ctrip_auto_publish.py Python 340L · 10.4 KB

│ ├─ 🐍 generate_script.py Python 143L · 4.5 KB

│ ├─ 🐍 publish.py Python 32L · 849 B

│ └─ 🔧 publish.sh Shell 21L · 494 B

├─ 📋 _meta.json JSON 10L · 283 B

└─ 📝 SKILL.md Markdown 170L · 4.6 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`*`	pip3	No	Version not pinned in publish.sh
`websockets`	`not used`	pip	No	Listed in SKILL.md but not used in any script

Security Positives

✓ No credential harvesting or environment variable enumeration observed

✓ No data exfiltration or external C2 communication detected

✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, keychain)

✓ No reverse shell, RCE payloads, or privilege escalation attempts

✓ No hidden HTML comments or prompt injection instructions

✓ Content and destinations are hardcoded sample travel data, not user data theft

✓ Filesystem write scope is limited to /tmp and ~/.qclaw/workspace, both non-sensitive

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives