中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:21 小时前 重新扫描
25 /100
openclaw-trends
Fetch and aggregate OpenClaw-related content from across the internet
Legitimate OpenClaw trends fetcher with a critical hardcoded API key vulnerability but no malicious behavior detected.
技能名称openclaw-trends
分析耗时33.1s
引擎pi
可以安装
Replace hardcoded YouTube API key with environment variable fallback only; the key should be provided externally, not embedded in source code.

安全发现 1 项

严重性 安全发现 位置
严重
Hardcoded YouTube API Key 凭证窃取
A valid YouTube Data API v3 key is hardcoded in plaintext at line 26. While documented as intentional ('embedded for convenience'), this exposes a credential that could be extracted and abused if the source is leaked or the repo becomes public.
YOUTUBE_API_KEY = os.environ.get("YOUTUBE_API_KEY", "AIzaSyC-4zq2k2ohAwtQM7lF8jPct_QhzpENG88")
→ Remove the default fallback value entirely. Require YOUTUBE_API_KEY to be set via environment variable, and fail gracefully with a clear error message if not present.
 scripts/fetch_trends.py:26
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file read/write operations in code
网络访问 READ READ ✓ 一致 urllib requests to YouTube API (line 55) and DuckDuckGo (line 174)
命令执行 WRITE WRITE ✓ 一致 subprocess.run(['gh', '--version'], ...) at line 91 - documented in SKILL.md
环境变量 READ READ ✓ 一致 os.environ.get('YOUTUBE_API_KEY', ...) at line 26
技能调用 NONE NONE No skill invocation detected
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
1 严重 3 项发现
🔑
严重 API 密钥 硬编码 API 密钥
AIzaSyC-4zq2k2ohAwtQM7lF8jPct_QhzpENG88
scripts/fetch_trends.py:26
🔗
中危 外部 URL 外部 URL
https://youtube.com/watch?v=
scripts/fetch_trends.py:78
🔗
中危 外部 URL 外部 URL
https://html.duckduckgo.com/html/?q=
scripts/fetch_trends.py:174

目录结构

2 文件 · 10.2 KB · 313 行
Python 1f · 252L Markdown 1f · 61L
├─ 📁 scripts
│ └─ 🐍 fetch_trends.py Python 252L · 8.4 KB
└─ 📝 SKILL.md Markdown 61L · 1.8 KB

依赖分析 3 项

包名版本来源已知漏洞备注
urllib stdlib Python Standard library - no external dependency risk
json stdlib Python Standard library
datetime stdlib Python Standard library

安全亮点

✓ All functionality is documented in SKILL.md - no hidden behavior
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No credential harvesting beyond its own legitimate API key
✓ No data exfiltration or C2 communication patterns
✓ No attempts to access sensitive paths (~/.ssh, ~/.aws, .env)
✓ subprocess usage limited to documented gh CLI tool
✓ No cron/job persistence mechanisms introduced
✓ HTTP requests limited to legitimate trend aggregation services