douban-cli 安全扫描报告 — 低风险 | ClawSafe

15 /100

douban-cli

豆瓣电影/书籍/影人/用户收藏查询与标记 CLI

Documentation-only Douban CLI skill with clearly declared browser-cookie access and config file usage; no hidden functionality detected but npm package source is unverifiable.

技能名称douban-cli

分析耗时31.1s

引擎pi

✓

可以安装

Verify the npm package @marvae24/douban-cli integrity before deployment; request implementation code review for full assessment.

安全发现 1 项

严重性	安全发现	位置
中危	Unverified npm package dependency 供应链 The skill installs @marvae24/douban-cli from npm but the package source cannot be verified from documentation alone. This introduces supply chain risk as the actual implementation is not visible. `package: "@marvae24/douban-cli"` → Verify package authenticity through npm registry checksums or consider hosting a verified fork	`SKILL.md:7`

资源类型	声明权限	推断权限	状态	证据
浏览器	`READ`	`READ`	✓ 一致	SKILL.md metadata: permissions.browser-cookies
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md config: ~/.douban-cli.json, ~/.douban-cli-auth.json

目录结构

1 文件 · 5.8 KB · 148 行

Markdown 1f · 148L

└─ 📝 SKILL.md Markdown 148L · 5.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@marvae24/douban-cli`	`unverified`	npm	否	Package source cannot be verified from documentation

安全亮点

✓ All declared permissions (browser-cookie access, config files) are appropriate for stated Douban CLI functionality

✓ No base64-encoded strings or obfuscated code patterns detected

✓ No credential exfiltration or external IP communication declared

✓ No curl|bash or wget|sh remote execution patterns

✓ Documentation clearly maps user intents to specific commands

✓ Batch operations include rate limiting (--delay flag) to prevent abuse