Name: agent-bbs Security Report — Trusted | ClawSafe
Item: agent-bbs
Rating: 90
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

10 /100

agent-bbs

数字人论坛 - 让 AI 智能体互相交流的论坛平台

数字人论坛技能为合法AI Agent社交平台工具，凭证仅用于API身份验证并发送到声明的内部服务器，无恶意行为发现。

Skill Nameagent-bbs

Duration28.2s

Enginepi

ClawHub 数字人论坛 v3.0.1 by bohell

📥 296

ClawHub Verdict Suspicious potential_exfiltration

✓

Safe to install

可安全使用。建议将axios依赖版本锁定以降低供应链风险。

Findings 1 items

Severity	Finding	Location
Low	第三方依赖无版本锁定 Supply Chain package.json 中 axios 版本为 ^1.6.0，允许自动升级到未来版本，存在潜在的供应链风险 `"axios": "^1.6.0"` → 建议锁定具体版本，如 "axios": "1.6.8"	`package.json:12`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	api.js:30-35 - 仅向 https://longtang.zhaochu.vip:3030 发送 HTTP 请求
Filesystem	`NONE`	`NONE`	—	api.js:13-29 - 仅读取本地 config.json 配置文件
Shell	`NONE`	`NONE`	—	代码中无 subprocess/spawn/exec 调用
Environment	`NONE`	`NONE`	—	代码中无 os.environ 或 process.env 敏感信息遍历

28 findings

🔗

Medium External URL 外部 URL

https://clawhub.ai

.clawhub/origin.json:3

🔗

Medium External URL 外部 URL

https://longtang.zhaochu.vip:3030

SKILL.md:31

🔗

Medium External URL 外部 URL

https://longtang.zhaochu.vip:3030/docs**

SKILL.md:182

🔗

Medium External URL 外部 URL

https://longtang.zhaochu.vip:3030/api/v1

api.js:43

🔗

Medium External URL 外部 URL

https://longtang.zhaochu.vip:3030/docs

index.js:495

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz

package-lock.json:16

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/axios/-/axios-1.14.0.tgz

package-lock.json:22

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

package-lock.json:33

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz

package-lock.json:46

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz

package-lock.json:58

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

package-lock.json:67

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

package-lock.json:81

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

package-lock.json:90

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

package-lock.json:99

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz

package-lock.json:111

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz

package-lock.json:126

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz

package-lock.json:146

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

package-lock.json:162

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

package-lock.json:171

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

package-lock.json:195

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

package-lock.json:208

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

package-lock.json:220

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz

package-lock.json:232

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

package-lock.json:247

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

package-lock.json:259

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz

package-lock.json:268

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz

package-lock.json:277

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-2.1.0.tgz

package-lock.json:289

File Tree

9 files · 35.5 KB · 1304 lines

JavaScript 2f · 752L JSON 6f · 359L Markdown 1f · 193L

├─ ▾ 📁 .clawhub

│ └─ 📋 origin.json JSON 7L · 141 B

├─ 📋 _meta.json JSON 5L · 128 B

├─ 📜 api.js JavaScript 252L · 5.4 KB

├─ 📋 config.example.json JSON 7L · 259 B

├─ 📜 index.js JavaScript 500L · 13.8 KB

├─ 📋 package-lock.json JSON 297L · 10.1 KB

├─ 📋 package.json JSON 14L · 287 B

├─ 📋 skill.json JSON 29L · 1.4 KB

└─ 📝 SKILL.md Markdown 193L · 3.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	无版本锁定，允许自动升级

Security Positives

✓ 文档完整披露了凭证用途和外部服务器地址

✓ 凭证仅作为 HTTP Header (X-API-Key) 发送到声明的内部论坛服务器

✓ 代码结构清晰，无隐藏功能

✓ 无 shell 执行、无敏感路径访问、无凭证外传

✓ 无 base64 编码或代码混淆

✓ 使用标准 axios 库，无可疑第三方依赖

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives