novel-scraper 安全扫描报告 — 低风险 | ClawSafe

20 /100

novel-scraper

智能小说抓取工具，支持自动翻页、分页补全、章节号自动解析

Legitimate novel scraping tool with minor documentation gaps regarding subprocess shell execution.

技能名称novel-scraper

分析耗时36.8s

引擎pi

✓

可以安装

Consider explicitly documenting subprocess shell execution in SKILL.md capability declaration. Otherwise safe for use.

安全发现 2 项

严重性	安全发现	位置
低危	Subprocess shell execution not explicitly declared 文档欺骗 Both scraper scripts use subprocess.run() to execute curl commands, which constitutes shell:WRITE capability. While the curl commands are shown in documentation examples, the capability model requires explicit declaration. `subprocess.run(cmd, capture_output=True, text=True, timeout=35)` → Add 'shell:WRITE' to capability declaration in SKILL.md frontmatter or use an HTTP library instead of subprocess for curl.	`scripts/scraper_v5.py:59`
低危	Dangerous command in documentation 文档欺骗 SKILL.md line 149 contains 'rm -rf /tmp/novel_scraper_cache/' which, while clearly intended for cache clearing, demonstrates dangerous command patterns. `rm -rf /tmp/novel_scraper_cache/` → Use Python shutil.rmtree() instead of shell rm command for cross-platform safety.	`SKILL.md:149`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Writes to ~/.openclaw/workspace/novels/
网络访问	`READ`	`READ`	✓ 一致	Uses curl to fetch bqquge.com novel content
命令执行	`NONE`	`WRITE`	✓ 一致	subprocess.run(['curl', ...]) in scripts/scraper_v5.py:59 and scripts/scraper.py…

1 严重 5 项发现

💀

严重危险命令危险 Shell 命令

rm -rf /

SKILL.md:149

🔗

中危外部 URL 外部 URL

https://www.bqquge.com/4/1962

SKILL.md:58

🔗

中危外部 URL 外部 URL

https://www.bqquge.com/4/1963

SKILL.md:58

🔗

中危外部 URL 外部 URL

https://www.bqquge.com

scripts/fetch_catalog.py:49

🔗

中危外部 URL 外部 URL

https://www.bqquge.com/

scripts/fetch_catalog.py:66

目录结构

11 文件 · 77.1 KB · 2220 行

Python 5f · 1887L Markdown 3f · 304L JSON 2f · 24L Text 1f · 5L

├─ ▾ 📁 configs

│ └─ 📋 sites.json JSON 19L · 515 B

├─ ▾ 📁 scripts

│ ├─ 🐍 extract_urls.py Python 65L · 2.0 KB

│ ├─ 🐍 fetch_catalog.py Python 130L · 4.0 KB

│ ├─ 🐍 merge_novels.py Python 191L · 6.0 KB

│ ├─ 🐍 scraper_v5.py Python 658L · 23.8 KB

│ └─ 🐍 scraper.py Python 843L · 32.7 KB

├─ 📋 _meta.json JSON 5L · 132 B

├─ 📝 CHANGELOG.md Markdown 78L · 2.1 KB

├─ 📝 RELEASE_NOTES.md Markdown 62L · 1.5 KB

├─ 📄 requirements.txt Text 5L · 124 B

└─ 📝 SKILL.md Markdown 164L · 4.2 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`beautifulsoup4`	`>=4.12.0`	pip	否	Properly pinned minimum version
`bs4`	`>=0.0.1`	pip	否	Alias package, acceptable

安全亮点

✓ All network requests target legitimate novel websites (bqquge.com)

✓ No credential harvesting or environment variable access

✓ No data exfiltration or C2 communication

✓ No obfuscated code or base64 execution

✓ Dependencies properly declared in requirements.txt

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Explicit URL validation and safety checks present