seeddrop Security Report — Trusted | ClawSafe

5 /100

seeddrop

Community engagement assistant for Bilibili, Tieba, Zhihu, and Xiaohongshu platforms

SeedDrop is a legitimate community engagement assistant with comprehensive security controls. The SocialVault requirement for encrypted credential storage, mandatory manual approval for all replies, and well-documented rate limiting demonstrate a mature security posture. No malicious behavior, credential exfiltration, or undocumented functionality was found.

Skill Nameseeddrop

Duration51.6s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure SocialVault is installed before deployment. Follow the documented workflow for credential management and manual reply approval.

Findings 1 items

Severity	Finding	Location
Info	Pre-scan flagged hardcoded IP 120.0.0.0 Sensitive Access The pre-scan identified '120.0.0.0' at bilibili.ts:22 as a HIGH risk hardcoded IP. Upon review, this is actually a Chrome browser version number in the User-Agent string ('Chrome/120.0.0.0') and not an IP address. This is a false positive from the pre-scan. `User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'` → No action needed - this is a legitimate browser version string.	`scripts/adapters/bilibili.ts:22`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	Reads brand-profile.md, blacklist.md; writes interaction-log.jsonl
Network	`READ`	`READ`	✓ Aligned	API calls to bilibili, tieba, zhihu, xiaohongshu platforms
Browser	`READ`	`READ`	✓ Aligned	Browser fallback for anti-bot scenarios, declared in SKILL.md
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	SECURITY MANIFESTs confirm no env access
Skill Invoke	`NONE`	`NONE`	—	SocialVault instructions only, no other skill invocations

1 High 20 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/adapters/bilibili.ts:22

🔗

Medium External URL 外部 URL

https://tieba.baidu.com/f/search/res?qw=

SKILL.md:100

🔗

Medium External URL 外部 URL

https://tieba.baidu.com/f?kw=

SKILL.md:101

🔗

Medium External URL 外部 URL

https://www.zhihu.com/search?type=content&q=

SKILL.md:102

🔗

Medium External URL 外部 URL

https://api.bilibili.com

scripts/adapters/bilibili.ts:3

🔗

Medium External URL 外部 URL

https://www.bilibili.com

scripts/adapters/bilibili.ts:23

🔗

Medium External URL 外部 URL

https://www.bilibili.com/video/$

scripts/adapters/bilibili.ts:75

🔗

Medium External URL 外部 URL

https://tieba.baidu.com

scripts/adapters/tieba.ts:3

🔗

Medium External URL 外部 URL

https://tieba.baidu.com/

scripts/adapters/tieba.ts:22

🔗

Medium External URL 外部 URL

https://edith.xiaohongshu.com/api/sns/web/v1

scripts/adapters/xiaohongshu.ts:3

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com

scripts/adapters/xiaohongshu.ts:24

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/explore/$

scripts/adapters/xiaohongshu.ts:72

🔗

Medium External URL 外部 URL

https://www.xiaohongshu.com/search_result?keyword=$

scripts/adapters/xiaohongshu.ts:92

🔗

Medium External URL 外部 URL

https://www.zhihu.com/api/v4

scripts/adapters/zhihu.ts:3

🔗

Medium External URL 外部 URL

https://www.zhihu.com/search

scripts/adapters/zhihu.ts:22

🔗

Medium External URL 外部 URL

https://www.zhihu.com

scripts/adapters/zhihu.ts:23

🔗

Medium External URL 外部 URL

https://www.zhihu.com/

scripts/adapters/zhihu.ts:30

🔗

Medium External URL 外部 URL

https://www.zhihu.com/question/$

scripts/adapters/zhihu.ts:102

🔗

Medium External URL 外部 URL

https://www.zhihu.com/search?type=content&q=$

scripts/adapters/zhihu.ts:126

🔗

Medium External URL 外部 URL

https://reddit.com/r/test/test1

scripts/scorer.ts:167

File Tree

70 files · 213.7 KB · 6881 lines

TypeScript 24f · 4341L Markdown 40f · 2444L JSON 6f · 96L

├─ ▾ 📁 .qoder

│ └─ ▾ 📁 rules

│ ├─ 📝 code-quality.md Markdown 61L · 2.2 KB

│ ├─ 📝 core-principles.md Markdown 87L · 3.5 KB

│ ├─ 📝 documentation-gen.md Markdown 23L · 563 B

│ ├─ 📝 guardrails.md Markdown 75L · 2.3 KB

│ ├─ 📝 review-and-refactor.md Markdown 30L · 801 B

│ └─ 📝 security-checklist.md Markdown 26L · 690 B

├─ ▾ 📁 guides

│ ├─ 📝 adapter-development.md Markdown 92L · 2.5 KB

│ ├─ 📝 brand-profile-setup.md Markdown 39L · 1.0 KB

│ └─ 📝 quickstart.md Markdown 64L · 1.4 KB

├─ ▾ 📁 memory

│ ├─ 📝 blacklist.md Markdown 14L · 263 B

│ └─ 📝 brand-profile.md Markdown 68L · 1.7 KB

├─ ▾ 📁 references

│ ├─ 📝 platform-tos-notes.md Markdown 37L · 1.2 KB

│ ├─ 📝 safety-rules.md Markdown 73L · 2.2 KB

│ └─ 📝 scoring-criteria.md Markdown 59L · 1.3 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 adapters

│ │ ├─ 📜 _template.ts TypeScript 82L · 2.5 KB

│ │ ├─ 📜 base.ts TypeScript 48L · 1.4 KB

│ │ ├─ 📜 bilibili.ts TypeScript 180L · 5.2 KB

│ │ ├─ 📜 tieba.ts TypeScript 235L · 7.1 KB

│ │ ├─ 📜 xiaohongshu.ts TypeScript 165L · 4.9 KB

│ │ └─ 📜 zhihu.ts TypeScript 208L · 6.2 KB

│ ├─ 📜 analytics.ts TypeScript 222L · 7.5 KB

│ ├─ 📜 auth-bridge.ts TypeScript 156L · 5.6 KB

│ ├─ 📜 monitor.ts TypeScript 265L · 8.5 KB

│ ├─ 📜 responder.ts TypeScript 203L · 6.7 KB

│ ├─ 📜 scorer.ts TypeScript 228L · 7.2 KB

│ └─ 📜 types.ts TypeScript 266L · 8.0 KB

├─ ▾ 📁 seeddrop-v3.0.1

│ ├─ ▾ 📁 .qoder

│ │ └─ ▾ 📁 rules

│ │ ├─ 📝 code-quality.md Markdown 61L · 2.2 KB

│ │ ├─ 📝 core-principles.md Markdown 87L · 3.5 KB

│ │ ├─ 📝 documentation-gen.md Markdown 23L · 563 B

│ │ ├─ 📝 guardrails.md Markdown 75L · 2.3 KB

│ │ ├─ 📝 review-and-refactor.md Markdown 30L · 801 B

│ │ └─ 📝 security-checklist.md Markdown 26L · 690 B

│ ├─ ▾ 📁 guides

│ │ ├─ 📝 adapter-development.md Markdown 92L · 2.5 KB

│ │ ├─ 📝 brand-profile-setup.md Markdown 39L · 1.0 KB

│ │ └─ 📝 quickstart.md Markdown 64L · 1.5 KB

│ ├─ ▾ 📁 memory

│ │ ├─ 📝 blacklist.md Markdown 14L · 263 B

│ │ └─ 📝 brand-profile.md Markdown 68L · 1.7 KB

│ ├─ ▾ 📁 references

│ │ ├─ 📝 platform-tos-notes.md Markdown 37L · 1.2 KB

│ │ ├─ 📝 safety-rules.md Markdown 64L · 1.8 KB

│ │ └─ 📝 scoring-criteria.md Markdown 59L · 1.4 KB

│ ├─ ▾ 📁 scripts

│ │ ├─ ▾ 📁 adapters

│ │ │ ├─ 📜 _template.ts TypeScript 82L · 2.5 KB

│ │ │ ├─ 📜 base.ts TypeScript 48L · 1.5 KB

│ │ │ ├─ 📜 bilibili.ts TypeScript 180L · 5.1 KB

│ │ │ ├─ 📜 tieba.ts TypeScript 181L · 5.3 KB

│ │ │ ├─ 📜 xiaohongshu.ts TypeScript 165L · 5.1 KB

│ │ │ └─ 📜 zhihu.ts TypeScript 167L · 4.8 KB

│ │ ├─ 📜 analytics.ts TypeScript 222L · 7.5 KB

│ │ ├─ 📜 auth-bridge.ts TypeScript 156L · 5.6 KB

│ │ ├─ 📜 monitor.ts TypeScript 260L · 8.5 KB

│ │ ├─ 📜 responder.ts TypeScript 203L · 6.9 KB

│ │ ├─ 📜 scorer.ts TypeScript 228L · 7.5 KB

│ │ └─ 📜 types.ts TypeScript 191L · 5.5 KB

│ ├─ ▾ 📁 templates

│ │ ├─ 📝 reply-bilibili.md Markdown 52L · 1.4 KB

│ │ ├─ 📝 reply-tieba.md Markdown 56L · 1.4 KB

│ │ ├─ 📝 reply-xiaohongshu.md Markdown 61L · 2.0 KB

│ │ └─ 📝 reply-zhihu.md Markdown 74L · 1.8 KB

│ ├─ 📋 clawhub.json JSON 15L · 550 B

│ ├─ 📋 package.json JSON 15L · 330 B

│ ├─ 📝 README.md Markdown 46L · 1.2 KB

│ ├─ 📝 SKILL.md Markdown 157L · 6.1 KB

│ └─ 📋 tsconfig.json JSON 18L · 453 B

├─ ▾ 📁 templates

│ ├─ 📝 reply-bilibili.md Markdown 52L · 1.5 KB

│ ├─ 📝 reply-tieba.md Markdown 56L · 1.5 KB

│ ├─ 📝 reply-xiaohongshu.md Markdown 61L · 2.0 KB

│ └─ 📝 reply-zhihu.md Markdown 74L · 1.8 KB

├─ 📋 clawhub.json JSON 15L · 550 B

├─ 📋 package.json JSON 15L · 315 B

├─ 📝 README.md Markdown 52L · 1.7 KB

├─ 📝 SKILL.md Markdown 216L · 9.6 KB

└─ 📋 tsconfig.json JSON 18L · 453 B

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`tsx`	`^4.19.0`	npm	No	Dev dependency only, pinned major version
`typescript`	`^5.5.0`	npm	No	Dev dependency only, pinned major version
`@types/node`	`^25.5.0`	npm	No	Type definitions only

Security Positives

✓ SocialVault integration is mandatory with no plaintext credential fallback

✓ Manual approval-only mode is hardcoded and cannot be overridden

✓ All scripts include SECURITY MANIFEST blocks documenting resources accessed

✓ Rate limiting is enforced per platform with daily caps (10-30 replies/day depending on platform)

✓ Deduplication via interaction-log.jsonl prevents duplicate replies

✓ 24-hour author cooldown prevents spam behavior

✓ Content safety rules limit brand mentions to ≤20% of reply

✓ Blacklist support for users, communities, and keywords

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No base64, eval, or obfuscated code execution

✓ No curl|bash or remote script execution

✓ All network endpoints are legitimate platform APIs (bilibili, tieba, zhihu, xiaohongshu)

✓ No data exfiltration or C2 communication observed

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives