中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
renatus-icm
Manage Renatus event marketing campaigns as an ICM: email campaigns, lead export, browser-based guest registration via CDP, event landing page generation, and unsubscribe sync
Legitimate Renatus event marketing campaign toolkit with clear documentation, declared CDP/session-token access, and standard subprocess-based email sending. No malicious behavior, exfiltration, obfuscation, or credential theft observed.
技能名称renatus-icm
分析耗时48.0s
引擎pi
可以安装
Safe to use. Ensure Chrome/Brave CDP access uses a dedicated browser profile and credentials are managed per the documented security recommendations.

安全发现 2 项

严重性 安全发现 位置
低危
Broader CDP access declared than strictly needed for skill scope 文档欺骗
SKILL.md says scripts 'connect to http://127.0.0.1:9222 to inspect your browser's localStorage/cookies for Renatus auth tokens' — this is accurate but the phrasing 'inspect cookies' could imply credential capture. Code only reads localStorage for session tokens, not raw cookie values or passwords.
Scripts connect to http://127.0.0.1:9222 to inspect your browser's localStorage/cookies for Renatus auth tokens
→ Clarify that only localStorage session tokens (access_token, refresh_token, XSRF) are read, not raw cookies or passwords
 SKILL.md:28
低危
Missing dependency in unsubscribe sync script 敏感访问
weekly_unsubscribe_sync.sh calls scripts/process_unsubscribes.py which does not exist in the skill's file tree. This is a broken reference that would cause Step 3 to fail at runtime, not an exploitation path.
python3 "$SCRIPT_DIR/process_unsubscribes.py"
→ Create or reference the correct unsubscribe processing script
 scripts/weekly_unsubscribe_sync.sh:100
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares file generation; scripts write CSV/JSON/config output
网络访问 READ READ ✓ 一致 urllib requests to Supabase API and Renatus back office; all outbound URLs docum…
命令执行 WRITE WRITE ✓ 一致 subprocess.run for gws/gog CLI email sending (lines 134-150, send_commercial_ema…
环境变量 READ READ ✓ 一致 config_loader.py reads RENATUS_* env vars; renatus_leads.py reads SUPABASE_URL, …
浏览器 READ READ ✓ 一致 CDP localStorage access reads 'auth' and '__RequestVerificationToken' only; SKIL…
剪贴板 NONE NONE No clipboard access found
技能调用 NONE NONE No skill-invoke patterns found
数据库 READ READ ✓ 一致 Supabase funnel_leads table reads via lead-admin-export edge function; SUPABASE_…
22 项发现
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:9222
SKILL.md:28
🔗
中危 外部 URL 外部 URL
https://backoffice.myrenatus.com/Events/EventDetails?eventId=...
SKILL.md:52
🔗
中危 外部 URL 外部 URL
https://YOUR_REGISTRATION_PAGE/
SKILL.md:72
🔗
中危 外部 URL 外部 URL
https://backoffice.myrenatus.com
SKILL.md:75
🔗
中危 外部 URL 外部 URL
https://YOUR_DOMAIN
assets/site/unsubscribe.html:57
🔗
中危 外部 URL 外部 URL
https://YOUR_DOMAIN/unsubscribe.html
references/email-campaign.md:68
🔗
中危 外部 URL 外部 URL
https://YOUR_DOMAIN/unsubscribe.html?e=
references/email-campaign.md:75
🔗
中危 外部 URL 外部 URL
https://$REF.supabase.co/functions/v1/lead-admin-export?limit=500
references/email-campaign.md:158
🔗
中危 外部 URL 外部 URL
https://YOUR_DOMAIN/commercial/
references/event-page-setup.md:30
🔗
中危 外部 URL 外部 URL
https://yourdomain.com/commercial/
references/event-page-setup.md:118
🔗
中危 外部 URL 外部 URL
https://backoffice.myrenatus.com/Events/EventDetails?eventId=
scripts/add_event.py:210
🔗
中危 外部 URL 外部 URL
https://YOUR_PROJECT_REF.supabase.co
scripts/config_loader.py:78
🔗
中危 外部 URL 外部 URL
https://YOUR_INSTRUCTOR_PHOTO_URL.jpg
scripts/config_loader.py:91
🔗
中危 外部 URL 外部 URL
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
scripts/generate_email_template.py:65
🔗
中危 外部 URL 外部 URL
http://www.w3.org/1999/xhtml
scripts/generate_email_template.py:66
🔗
中危 外部 URL 外部 URL
https://YOUR_REGISTRATION_PAGE_URL/
scripts/generate_email_template.py:323
🔗
中危 外部 URL 外部 URL
https://backoffice.myrenatus.com/Events/EventDetails?eventId=abc123...
scripts/generate_event_page.py:9
🔗
中危 外部 URL 外部 URL
https://YOUR_PROJECT_REF.functions.supabase.co/submit-renatus-registration
scripts/generate_event_page.py:451
🔗
中危 外部 URL 外部 URL
https://backoffice.myrenatus.com/Home/index
scripts/weekly_unsubscribe_sync.sh:146
📧
提示 邮箱 邮箱地址
[email protected]
assets/site/unsubscribe.html:53
📧
提示 邮箱 邮箱地址
[email protected]
references/email-campaign.md:5
📧
提示 邮箱 邮箱地址
[email protected]
scripts/send_commercial_email_batches.py:13

目录结构

18 文件 · 172.2 KB · 4882 行
Python 9f · 3404L Markdown 5f · 894L HTML 2f · 314L Shell 1f · 266L CSV 1f · 4L
├─ 📁 assets
│ ├─ 📁 site
│ │ ├─ 📄 confirmation.html HTML 162L · 7.3 KB
│ │ └─ 📄 unsubscribe.html HTML 152L · 6.7 KB
│ └─ 📄 sample_leads.csv CSV 4L · 263 B
├─ 📁 references
│ ├─ 📝 email-campaign.md Markdown 175L · 4.8 KB
│ ├─ 📝 event-page-setup.md Markdown 138L · 3.9 KB
│ ├─ 📝 supabase-setup.md Markdown 99L · 3.2 KB
│ └─ 📝 workflows.md Markdown 259L · 7.4 KB
├─ 📁 scripts
│ ├─ 🐍 add_event.py Python 298L · 11.0 KB
│ ├─ 🐍 config_loader.py Python 186L · 6.9 KB
│ ├─ 🐍 generate_calendar.py Python 260L · 8.7 KB
│ ├─ 🐍 generate_email_template.py Python 518L · 21.3 KB
│ ├─ 🐍 generate_event_page.py Python 700L · 26.1 KB
│ ├─ 🐍 renatus_delete_lead.py Python 333L · 9.8 KB
│ ├─ 🐍 renatus_leads.py Python 231L · 8.7 KB
│ ├─ 🐍 renatus_register_guest.py Python 582L · 17.8 KB
│ ├─ 🐍 send_commercial_email_batches.py Python 296L · 10.5 KB
│ └─ 🔧 weekly_unsubscribe_sync.sh Shell 266L · 7.9 KB
└─ 📝 SKILL.md Markdown 223L · 9.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
playwright not pinned pip No requirements.txt found; playwright is the only runtime dependency, used exclusively for Chrome CDP browser automation

安全亮点

✓ SKILL.md comprehensively documents all credential requirements and security recommendations
✓ CDP access explicitly reads session tokens only, NOT passwords — documented inline at add_event.py line 43
✓ Email sending uses documented gws/gog CLI with subprocess.run — no hidden transmission
✓ All network requests target documented Supabase/Renatus endpoints — no arbitrary IP or C2 communication
✓ No base64, eval, or obfuscation patterns found in any Python or shell scripts
✓ No credential harvesting (no os.environ iteration, no ~/.ssh, ~/.aws, .env file reading)
✓ Dry-run defaults on registration and deletion scripts prevent accidental writes
✓ Lead export reads Supabase only with explicit admin token — no arbitrary data exfiltration
✓ Config file is gitignored and credentials can be fully env-var driven
✓ Bounce detection and unsubscribe sync are legitimate email compliance features
✓ All dependencies (playwright) are standard, pinned packages with no known supply chain risks