x-reader Security Report — Low Risk | ClawSafe

10 /100

x-reader

Read and summarize X/Twitter links with low-token routing

This is a legitimate X/Twitter link reader skill with no malicious behavior detected; the flagged IOC is a false positive (Chrome browser version number in user-agent string).

Skill Namex-reader

Duration57.7s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 1 items

Severity	Finding	Location
Info	Chrome version misinterpreted as IP The pre-scan flagged 122.0.0.0 as a hardcoded IP address at line 253. This is a false positive - the value is part of the Chrome browser version number in the user-agent string: 'Chrome/122.0.0.0'. This is legitimate browser automation configuration. `userAgent: 'Mozilla/5.0...Chrome/122.0.0.0 Safari/537.36'` → No action needed - this is a legitimate user-agent string.	`scripts/xreader.mjs:251`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	xreader.mjs:38-50 reads session.json
Filesystem	`WRITE`	`WRITE`	✓ Aligned	xreader.mjs:35-37 writes migrated auth with 0o600
Shell	`READ`	`READ`	✓ Aligned	xreader.mjs:75 uses execFileAsync to run xreach
Network	`READ`	`READ`	✓ Aligned	xreader.mjs:78-83 resolves URLs via fetch()
Browser	`WRITE`	`WRITE`	✓ Aligned	xreader.mjs:85-253 uses Playwright for article extraction

1 High 7 findings

📡

High IP Address 硬编码 IP 地址

122.0.0.0

scripts/xreader.mjs:253

🔗

Medium External URL 外部 URL

https://x.com/...

SKILL.md:32

🔗

Medium External URL 外部 URL

https://x.com/.../status/...

SKILL.md:44

🔗

Medium External URL 外部 URL

https://x.com/i/article/...

SKILL.md:50

🔗

Medium External URL 外部 URL

https://x.com/yangguangai/status/2033736815405121642?s=46

SKILL.md:117

🔗

Medium External URL 外部 URL

https://x.com/yangguangai/status/2033522959407878621?s=46

SKILL.md:118

🔗

Medium External URL 外部 URL

https://x.com/google/status/2031558824042058064

SKILL.md:119

File Tree

4 files · 24.4 KB · 761 lines

JavaScript 1f · 560L Markdown 1f · 136L JSON 2f · 65L

├─ ▾ 📁 scripts

│ └─ 📜 xreader.mjs JavaScript 560L · 18.5 KB

├─ 📋 package-lock.json JSON 57L · 1.6 KB

├─ 📋 package.json JSON 8L · 123 B

└─ 📝 SKILL.md Markdown 136L · 4.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`xreach`	`*`	npm	No	External CLI tool, documented dependency
`playwright`	`^1.53.0`	npm	No	Used for article page rendering only

Security Positives

✓ All functionality declared in SKILL.md matches code implementation

✓ Auth tokens are used locally for X.com authentication only - no exfiltration

✓ File permissions set to 0o600 for auth files

✓ No shell command injection vectors

✓ No base64/eval obfuscation

✓ No credential harvesting beyond documented auth files

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden functionality or undocumented network connections

✓ Dependencies are standard and documented (xreach CLI, Playwright)

Scan Report

Findings 1 items

File Tree

Dependencies 2 items

Security Positives