apifox-exporter 安全扫描报告 — 可信 | ClawSafe

0 /100

apifox-exporter

全自动从 Apifox 导出接口数据并整理成标准格式的文档（支持浏览器自动化）

This is a legitimate Apifox API documentation export tool using Playwright browser automation. All capabilities (shell execution, filesystem writes, network access) are declared in SKILL.md and skill.yaml, and the code performs only documented behaviors.

技能名称apifox-exporter

分析耗时23.9s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	skill.yaml:executes `node script/*.js` via action
文件系统	`WRITE`	`WRITE`	✓ 一致	Writes to desktop, ~/.openclaw/workspace/script/apifox/
网络访问	`READ`	`READ`	✓ 一致	Only accesses app.apifox.com
浏览器	`WRITE`	`WRITE`	✓ 一致	Uses Playwright Chromium persistent context

3 项发现

🔗

中危外部 URL 外部 URL

https://app.apifox.com/

script/auto-export-playwright.js:15

🔗

中危外部 URL 外部 URL

https://app.apifox.com/main/teams/4037511?tab=project

script/auto-export.js:24

🔗

中危外部 URL 外部 URL

https://app.apifox.com

script/auto-export.js:50

目录结构

8 文件 · 34.8 KB · 1076 行

JavaScript 3f · 736L Markdown 2f · 190L YAML 1f · 109L JSON 1f · 24L Ignore 1f · 17L

├─ ▾ 📁 script

│ ├─ 📜 auto-export-playwright.js JavaScript 386L · 14.7 KB

│ ├─ 📜 auto-export.js JavaScript 105L · 3.2 KB

│ └─ 📜 export.js JavaScript 245L · 8.8 KB

├─ 📄 .gitignore Ignore 17L · 168 B

├─ 📋 package.json JSON 24L · 561 B

├─ 📝 README.md Markdown 24L · 326 B

├─ 📝 SKILL.md Markdown 166L · 4.2 KB

└─ 📋 skill.yaml YAML 109L · 2.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`playwright`	`^1.40.0`	npm	否	Version loosely pinned

安全亮点

✓ All shell executions (execSync for node scripts) are declared in skill.yaml actions

✓ All filesystem operations are scoped to documented paths (workspace dir, desktop)

✓ Network access is limited to the legitimate Apifox service (app.apifox.com)

✓ No credential harvesting or environment variable enumeration observed

✓ No base64 payloads, eval(), or obfuscated code

✓ No remote script execution (curl|bash patterns)

✓ No hidden instructions in comments or HTML

✓ Playwright is a standard, documented browser automation library

✓ The hardcoded team/project names in DEFAULT_TEAM_NAME and DEFAULT_PROJECT_NAME are internal configuration defaults, not exfiltration targets

✓ No external IPs, no data exfiltration, no C2 indicators