中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:23 hr ago Rescan
20 /100
novel-scraper
智能小说抓取工具,支持自动翻页、分页补全、章节号自动解析
Legitimate novel scraping tool with minor documentation gaps regarding subprocess shell execution.
Skill Namenovel-scraper
Duration36.8s
Enginepi
Safe to install
Consider explicitly documenting subprocess shell execution in SKILL.md capability declaration. Otherwise safe for use.

Findings 2 items

Severity Finding Location
Low
Subprocess shell execution not explicitly declared Doc Mismatch
Both scraper scripts use subprocess.run() to execute curl commands, which constitutes shell:WRITE capability. While the curl commands are shown in documentation examples, the capability model requires explicit declaration.
subprocess.run(cmd, capture_output=True, text=True, timeout=35)
→ Add 'shell:WRITE' to capability declaration in SKILL.md frontmatter or use an HTTP library instead of subprocess for curl.
 scripts/scraper_v5.py:59
Low
Dangerous command in documentation Doc Mismatch
SKILL.md line 149 contains 'rm -rf /tmp/novel_scraper_cache/*' which, while clearly intended for cache clearing, demonstrates dangerous command patterns.
rm -rf /tmp/novel_scraper_cache/*
→ Use Python shutil.rmtree() instead of shell rm command for cross-platform safety.
 SKILL.md:149
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned Writes to ~/.openclaw/workspace/novels/
Network READ READ ✓ Aligned Uses curl to fetch bqquge.com novel content
Shell NONE WRITE ✓ Aligned subprocess.run(['curl', ...]) in scripts/scraper_v5.py:59 and scripts/scraper.py…
1 Critical 5 findings
💀
Critical Dangerous Command 危险 Shell 命令
rm -rf /
SKILL.md:149
🔗
Medium External URL 外部 URL
https://www.bqquge.com/4/1962
SKILL.md:58
🔗
Medium External URL 外部 URL
https://www.bqquge.com/4/1963
SKILL.md:58
🔗
Medium External URL 外部 URL
https://www.bqquge.com
scripts/fetch_catalog.py:49
🔗
Medium External URL 外部 URL
https://www.bqquge.com/
scripts/fetch_catalog.py:66

File Tree

11 files · 77.1 KB · 2220 lines
Python 5f · 1887L Markdown 3f · 304L JSON 2f · 24L Text 1f · 5L
├─ 📁 configs
│ └─ 📋 sites.json JSON 19L · 515 B
├─ 📁 scripts
│ ├─ 🐍 extract_urls.py Python 65L · 2.0 KB
│ ├─ 🐍 fetch_catalog.py Python 130L · 4.0 KB
│ ├─ 🐍 merge_novels.py Python 191L · 6.0 KB
│ ├─ 🐍 scraper_v5.py Python 658L · 23.8 KB
│ └─ 🐍 scraper.py Python 843L · 32.7 KB
├─ 📋 _meta.json JSON 5L · 132 B
├─ 📝 CHANGELOG.md Markdown 78L · 2.1 KB
├─ 📝 RELEASE_NOTES.md Markdown 62L · 1.5 KB
├─ 📄 requirements.txt Text 5L · 124 B
└─ 📝 SKILL.md Markdown 164L · 4.2 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
beautifulsoup4 >=4.12.0 pip No Properly pinned minimum version
bs4 >=0.0.1 pip No Alias package, acceptable

Security Positives

✓ All network requests target legitimate novel websites (bqquge.com)
✓ No credential harvesting or environment variable access
✓ No data exfiltration or C2 communication
✓ No obfuscated code or base64 execution
✓ Dependencies properly declared in requirements.txt
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Explicit URL validation and safety checks present