Name: weread-obsidian Security Report — Trusted | ClawSafe
Item: weread-obsidian
Rating: 95
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

5 /100

weread-obsidian

同步微信读书书架状态、阅读进度和笔记到本地Obsidian工作区

合法的微信读书-obsidian同步工具，所有功能与文档描述一致，无恶意行为、阴影功能或凭证窃取。

Skill Nameweread-obsidian

Duration61.8s

Enginepi

ClawHub weread_assitant v1.0.1 by mingchaoxu

ClawHub Verdict Suspicious env_credential_accesspotential_exfiltrationvt_suspicious

✓

Safe to install

可安全使用。建议验证 obsidian-cli 来源可靠，并考虑在 package.json 中锁定依赖版本。

Findings 2 items

Severity	Finding	Location
Low	依赖包无版本锁定 Supply Chain package.json中所有依赖使用隐式latest版本，可能在依赖包更新后引入风险 `无dependencies字段，仅有scripts` → 如添加依赖，建议锁定版本如[email protected]	`package.json:1`
Info	依赖外部工具obsidian-cli Supply Chain publish-obsidian.mjs依赖本地安装的obsidian-cli工具，如果该工具被替换可能影响安全性 `await execFileAsync('obsidian-cli', args)` → 验证obsidian-cli来源可靠，考虑使用npx或相对路径执行	`scripts/publish-obsidian.mjs:91`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/export-obsidian.mjs:91 - fs.writeFile输出到output目录
Network	`READ`	`READ`	✓ Aligned	scripts/cdp-client.mjs:36 - 仅访问weread.qq.com和localhost:3456
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/publish-obsidian.mjs:91 - execFileAsync执行obsidian-cli，属于声明功能
Environment	`NONE`	`READ`	✓ Aligned	scripts/cdp-client.mjs:4 - 读取WEREAD_CDP_BASE环境变量，用途合理

4 findings

🔗

Medium External URL 外部 URL

https://weread.qq.com/web/shelf

README.md:48

🔗

Medium External URL 外部 URL

https://weread.qq.com/web/reader/a583244072027d22a58423a

README.md:212

🔗

Medium External URL 外部 URL

https://weread.qq.com/web/reader/

README.md:305

🔗

Medium External URL 外部 URL

https://weread.qq.com/...

SKILL.md:37

File Tree

14 files · 73.3 KB · 2484 lines

JavaScript 8f · 1572L Markdown 4f · 890L JSON 1f · 14L YAML 1f · 8L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 8L · 353 B

├─ ▾ 📁 references

│ └─ 📝 data-contract.md Markdown 69L · 2.1 KB

├─ ▾ 📁 scripts

│ ├─ 📜 add-book-reflection.mjs JavaScript 193L · 5.2 KB

│ ├─ 📜 book-utils.mjs JavaScript 69L · 2.1 KB

│ ├─ 📜 cdp-client.mjs JavaScript 102L · 3.0 KB

│ ├─ 📜 export-obsidian.mjs JavaScript 550L · 17.3 KB

│ ├─ 📜 fetch-book.mjs JavaScript 208L · 5.8 KB

│ ├─ 📜 fetch-shelf.mjs JavaScript 144L · 4.4 KB

│ ├─ 📜 publish-obsidian.mjs JavaScript 149L · 3.9 KB

│ └─ 📜 sync-book-by-title.mjs JavaScript 157L · 4.0 KB

├─ 📋 package.json JSON 14L · 502 B

├─ 📝 README.md Markdown 616L · 16.1 KB

├─ 📝 SECURITY.md Markdown 92L · 3.2 KB

└─ 📝 SKILL.md Markdown 113L · 5.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`node-fetch`	`*`	implicit	No	使用Node.js内置fetch API，无需额外依赖

Security Positives

✓ 代码结构清晰，无混淆或base64编码

✓ 所有网络请求仅限weread.qq.com和localhost:3456（CDP代理）

✓ 不收集cookies、browser storage或敏感凭证

✓ 明确声明不使用浏览器存储转储，仅读取可见DOM

✓ 文件写入范围限定在output目录

✓ 无环境变量遍历或敏感关键字搜索

✓ 通过obsidian-cli间接写Obsidian，避免直接文件操作

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives