apifox-exporter Security Report — Trusted | ClawSafe

0 /100

apifox-exporter

全自动从 Apifox 导出接口数据并整理成标准格式的文档（支持浏览器自动化）

This is a legitimate Apifox API documentation export tool using Playwright browser automation. All capabilities (shell execution, filesystem writes, network access) are declared in SKILL.md and skill.yaml, and the code performs only documented behaviors.

Skill Nameapifox-exporter

Duration23.9s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	skill.yaml:executes `node script/*.js` via action
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes to desktop, ~/.openclaw/workspace/script/apifox/
Network	`READ`	`READ`	✓ Aligned	Only accesses app.apifox.com
Browser	`WRITE`	`WRITE`	✓ Aligned	Uses Playwright Chromium persistent context

3 findings

🔗

Medium External URL 外部 URL

https://app.apifox.com/

script/auto-export-playwright.js:15

🔗

Medium External URL 外部 URL

https://app.apifox.com/main/teams/4037511?tab=project

script/auto-export.js:24

🔗

Medium External URL 外部 URL

https://app.apifox.com

script/auto-export.js:50

File Tree

8 files · 34.8 KB · 1076 lines

JavaScript 3f · 736L Markdown 2f · 190L YAML 1f · 109L JSON 1f · 24L Ignore 1f · 17L

├─ ▾ 📁 script

│ ├─ 📜 auto-export-playwright.js JavaScript 386L · 14.7 KB

│ ├─ 📜 auto-export.js JavaScript 105L · 3.2 KB

│ └─ 📜 export.js JavaScript 245L · 8.8 KB

├─ 📄 .gitignore Ignore 17L · 168 B

├─ 📋 package.json JSON 24L · 561 B

├─ 📝 README.md Markdown 24L · 326 B

├─ 📝 SKILL.md Markdown 166L · 4.2 KB

└─ 📋 skill.yaml YAML 109L · 2.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`^1.40.0`	npm	No	Version loosely pinned

Security Positives

✓ All shell executions (execSync for node scripts) are declared in skill.yaml actions

✓ All filesystem operations are scoped to documented paths (workspace dir, desktop)

✓ Network access is limited to the legitimate Apifox service (app.apifox.com)

✓ No credential harvesting or environment variable enumeration observed

✓ No base64 payloads, eval(), or obfuscated code

✓ No remote script execution (curl|bash patterns)

✓ No hidden instructions in comments or HTML

✓ Playwright is a standard, documented browser automation library

✓ The hardcoded team/project names in DEFAULT_TEAM_NAME and DEFAULT_PROJECT_NAME are internal configuration defaults, not exfiltration targets

✓ No external IPs, no data exfiltration, no C2 indicators

Scan Report

File Tree

Dependencies 1 items

Security Positives