buy-domain-helper 安全扫描报告 — 可疑 | ClawSafe

55 /100

buy-domain-helper

3-layer site launcher: tunnel any HTML instantly, deploy to Cloudflare Pages, then buy a domain and link it via DNS

Skill has multiple undeclared shell execution patterns, supply-chain risk from npx -y arbitrary package execution, and potential command injection from unsanitized user inputs passed to wrangler CLI.

技能名称buy-domain-helper

分析耗时48.4s

引擎pi

⚠

谨慎使用

Remove npx -y serve; pin it as a project dependency. Sanitize projectName and dir arguments before shell interpolation. Declare all env vars (NETA_TOKEN, CF_API_TOKEN, CF_ACCOUNT_ID) in SKILL.md env. Replace execSync('brew install') with explicit dependency requirement.

安全发现 5 项

严重性	安全发现	位置
高危	Undeclared shell execution via execSync and spawn 权限提升 site.js performs execSync('which cloudflared'), execSync('brew install cloudflared'), execSync(wrangler ...), spawn('cloudflared'...), spawn('npx'...) — all shell execution — but SKILL.md declares env:[] and only lists bins:[node,cloudflared,wrangler] with no shell or network declarations. execSync('which cloudflared', ...); execSync('brew install cloudflared', ...); spawn('npx', ['-y', 'serve', ...]); execSync(`wrangler pages deploy...`) → Declare shell:WRITE and network:READ in SKILL.md metadata. Replace brew install with a clear error message requiring manual installation. Remove npx serve or pin it as a dependency.	`site.js:70-71, 90, 102`
高危	npx -y serve downloads and executes arbitrary unpinned npm package at runtime 供应链 site.js line 90 executes 'npx -y serve' to serve static files before tunneling. This downloads and runs the latest 'serve' package from npm without version pinning, creating a supply-chain attack vector. The serve package is not in package.json dependencies. `const serveProc = spawn('npx', ['-y', 'serve', target, '-p', '8080', '-s'], { stdio: 'ignore' });` → Add 'serve' as a pinned dependency in package.json and invoke it via local node_modules instead of npx.	`site.js:90`
中危	NETA_TOKEN environment variable declared in package.json but absent from SKILL.md 文档欺骗 package.json clawhub.env section declares a required NETA_TOKEN env var for 'Neta AI API token', but SKILL.md declares env:[] (empty array). This undeclared environment dependency is a doc-to-code mismatch. `{"name": "NETA_TOKEN", "description": "Neta AI API token. Get it at https://www.neta.art/open/", "required": true}` → Add NETA_TOKEN to SKILL.md env array with description, or remove from package.json if unused in site.js.	`package.json:7`
中危	Command injection risk: unsanitized user inputs in shell commands 代码执行 execSync on line 102-103 interpolates projectName and dir (from user-provided CLI args) directly into a shell command string passed to wrangler. While wrangler likely handles this safely, passing arbitrary strings to shell without validation is risky. execSync(`wrangler pages deploy "${dir}" --project-name "${projectName}" --branch main 2>&1`, { env }) → Validate that projectName matches expected pattern (alphanumeric, hyphens). Enforce dir exists and is within expected paths.	`site.js:102`
中危	Full process.env inherited by child processes 权限提升 site.js line 104 passes the entire process.env to wrangler via env:{...process.env, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID}. This exposes all environment variables (including potentially sensitive ones) to the child process. `const env = { ...process.env, CLOUDFLARE_API_TOKEN: TOKEN, CLOUDFLARE_ACCOUNT_ID: ACCOUNT };` → Pass only the specific environment variables needed (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, PATH) without spreading process.env.	`site.js:104`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	site.js:70 execSync('which cloudflared'); site.js:71 execSync('brew install clou…
网络访问	`NONE`	`READ`	✗ 越权	site.js:26 fetches api.cloudflare.com; site.js:90 spawns npx which reaches npm r…
环境变量	`NONE`	`READ`	✗ 越权	site.js:29-30 reads CF_API_TOKEN, CF_ACCOUNT_ID; site.js:104 passes full process…
文件系统	`NONE`	`WRITE`	✗ 越权	site.js:90 npx serve writes to disk in /tmp; wrangler deploy writes build artifa…

8 项发现

🔗

中危外部 URL 外部 URL

https://abc.trycloudflare.com

README.md:41

🔗

中危外部 URL 外部 URL

https://*.trycloudflare.com

README.md:65

🔗

中危外部 URL 外部 URL

https://dash.cloudflare.com/profile/api-tokens

README.md:81

🔗

中危外部 URL 外部 URL

https://abc123.my-site.pages.dev

README.md:88

🔗

中危外部 URL 外部 URL

https://dash.cloudflare.com/

README.md:110

🔗

中危外部 URL 外部 URL

https://mysite.com

README.md:149

🔗

中危外部 URL 外部 URL

https://www.neta.art/open/

package.json:9

🔗

中危外部 URL 外部 URL

https://api.cloudflare.com/client/v4

site.js:26

目录结构

4 文件 · 15.4 KB · 420 行

Markdown 2f · 240L JavaScript 1f · 166L JSON 1f · 14L

├─ 📋 package.json JSON 14L · 268 B

├─ 📝 README.md Markdown 191L · 5.9 KB

├─ 📜 site.js JavaScript 166L · 7.4 KB

└─ 📝 SKILL.md Markdown 49L · 1.8 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`serve`	`unpinned`	npm (via npx -y)	否	Not listed in package.json; downloaded at runtime via npx -y without version pin — supply-chain risk
`cloudflared`	`unpinned`	Homebrew	否	Installed via brew install if missing, not declared in package.json
`wrangler`	`unpinned`	npm/global	否	Required binary, not declared in package.json

安全亮点

✓ No credential exfiltration — tokens are used only for Cloudflare API calls

✓ README.md is thorough and transparently documents the tunnel, pages, and DNS layers

✓ No base64-encoded payloads or obfuscated code

✓ No attempt to access ~/.ssh, ~/.aws, .env, or other sensitive paths

✓ No persistence mechanisms (cron, startup hooks, backdoors) detected

✓ API calls are limited to official Cloudflare API endpoints