douban-cli Security Report — Low Risk | ClawSafe

15 /100

douban-cli

豆瓣电影/书籍/影人/用户收藏查询与标记 CLI

Documentation-only Douban CLI skill with clearly declared browser-cookie access and config file usage; no hidden functionality detected but npm package source is unverifiable.

Skill Namedouban-cli

Duration31.1s

Enginepi

✓

Safe to install

Verify the npm package @marvae24/douban-cli integrity before deployment; request implementation code review for full assessment.

Findings 1 items

Severity	Finding	Location
Medium	Unverified npm package dependency Supply Chain The skill installs @marvae24/douban-cli from npm but the package source cannot be verified from documentation alone. This introduces supply chain risk as the actual implementation is not visible. `package: "@marvae24/douban-cli"` → Verify package authenticity through npm registry checksums or consider hosting a verified fork	`SKILL.md:7`

Resource	Declared	Inferred	Status	Evidence
Browser	`READ`	`READ`	✓ Aligned	SKILL.md metadata: permissions.browser-cookies
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md config: ~/.douban-cli.json, ~/.douban-cli-auth.json

File Tree

1 files · 5.8 KB · 148 lines

Markdown 1f · 148L

└─ 📝 SKILL.md Markdown 148L · 5.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@marvae24/douban-cli`	`unverified`	npm	No	Package source cannot be verified from documentation

Security Positives

✓ All declared permissions (browser-cookie access, config files) are appropriate for stated Douban CLI functionality

✓ No base64-encoded strings or obfuscated code patterns detected

✓ No credential exfiltration or external IP communication declared

✓ No curl|bash or wget|sh remote execution patterns

✓ Documentation clearly maps user intents to specific commands

✓ Batch operations include rate limiting (--delay flag) to prevent abuse

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives