dashboard-humanize Security Report — Low Risk | ClawSafe

15 /100

dashboard-humanize

文案去AI味服务 - 调用Dashboard Console API将AI生成的文本改写得更像人类写作风格

A legitimate text humanization tool that calls a backend API to remove AI-like characteristics from content. No malicious patterns found; all functionality aligns with stated purpose.

Skill Namedashboard-humanize

Duration49.9s

Enginepi

✓

Safe to install

Consider documenting the hardcoded fallback token in SKILL.md and clarifying that user content is sent to an external service for processing.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded default API token Credential Theft A default Bearer token 'atk_ajhhuxTyHciMIxZQ_vt_boqVeG_zTr4Ix9REWuVBXSc' is embedded in source code as a fallback. This appears to be a development/public token rather than harvested credentials, but exposes the token in source control. `DEFAULT_TOKEN = "atk_ajhhuxTyHciMIxZQ_vt_boqVeG_zTr4Ix9REWuVBXSc"` → Remove hardcoded tokens from source code. Document that users should set DASHBOARD_TOKEN environment variable for production use.	`scripts/humanize.py:46`
Low	Missing disclosure of external data transmission Doc Mismatch SKILL.md does not explicitly state that user content is transmitted to an external third-party service (xiaonian.cc) for processing. While the API call is the core functionality, this should be clearly disclosed for informed user consent. `通过小念AI后端实现` → Add a note in SKILL.md clarifying: 'Note: Your content will be sent to the Dashboard Console API at xiaonian.cc for processing.'	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	scripts/humanize.py:79-83 reads --content-file or stdin
Network	`WRITE`	`WRITE`	✓ Aligned	scripts/humanize.py:27,118 makes HTTP POST to Dashboard Console API
Shell	`NONE`	`NONE`	—	No subprocess or shell execution detected
Environment	`READ`	`READ`	✓ Aligned	scripts/humanize.py:64-67 reads DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASS…

1 findings

🔗

Medium External URL 外部 URL

https://xiaonian.cc

scripts/humanize.py:27

File Tree

3 files · 8.3 KB · 271 lines

Python 1f · 170L Markdown 2f · 101L

├─ ▾ 📁 references

│ └─ 📝 api.md Markdown 50L · 1.2 KB

├─ ▾ 📁 scripts

│ └─ 🐍 humanize.py Python 170L · 5.6 KB

└─ 📝 SKILL.md Markdown 51L · 1.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`Python standard library only`	`N/A`	stdlib	No	Uses urllib, json, argparse, os, sys, typing - no external dependencies

Security Positives

✓ No shell execution or command injection vectors detected

✓ No obfuscation techniques (base64, eval, etc.) found

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No reverse shell, C2 communication, or data exfiltration beyond declared API calls

✓ No supply chain risks - uses only Python standard library (urllib, json, argparse)

✓ All functionality (file reading, network calls, env access) aligns with stated purpose

✓ Clean code structure with proper error handling and exit codes

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives