felo-x-search 安全扫描报告 — 低风险 | ClawSafe

10 /100

felo-x-search

Search X (Twitter) data using Felo X Search API

A straightforward X/Twitter search skill with no malicious behavior detected; only minor documentation and dependency hygiene issues present.

技能名称felo-x-search

分析耗时26.8s

引擎pi

✓

可以安装

The skill is safe to use. Consider pinning external dependencies if any are added in the future, and update the placeholder API key in documentation to emphasize it should never be committed.

安全发现 2 项

严重性	安全发现	位置
低危	Placeholder API key value in documentation 文档欺骗 README.md line 22 shows FELO_API_KEY="your-api-key-here" with the placeholder value exposed. While clearly a template example, credential values in docs can be mistakenly copy-pasted into configs. No actual credential is exposed. `export FELO_API_KEY="your-api-key-here"` → Change the example to a clearly fictitious placeholder like "YOUR_FELO_API_KEY" or a masked form to prevent accidental use.	`README.md:22`
低危	No package.json — no explicit dependency tracking 供应链 The skill uses Node.js built-in fetch (available since Node 18) with no package.json or package-lock.json. This means no dependency pinning for external packages, though the attack surface is minimal since no external dependencies are used. `#!/usr/bin/env node` → Add a minimal package.json with scripts section for clarity and reproducibility.	`scripts/run_x_search.mjs:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	run_x_search.mjs:74 — fetch() call to openapi.felo.ai
环境变量	`READ`	`READ`	✓ 一致	run_x_search.mjs:237 — reads FELO_API_KEY only
命令执行	`NONE`	`NONE`	—	No subprocess or shell invocation in codebase
文件系统	`NONE`	`NONE`	—	No file read/write operations in run_x_search.mjs
技能调用	`ADMIN`	`ADMIN`	✓ 一致	SKILL.md declares skill trigger keywords and explicit commands

1 高危 9 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your-api-key-here"

README.md:22

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/docs/api-reference/v2/x-search.html

README.md:3

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/v2/x/tweet/search

SKILL.md:112

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/v2/x/user/search

SKILL.md:118

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/v2/x/user/info

SKILL.md:124

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/v2/x/user/tweets

SKILL.md:130

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/v2/x/tweet/replies

SKILL.md:136

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai

SKILL.md:185

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/docs/

SKILL.md:204

目录结构

4 文件 · 24.1 KB · 682 行

JavaScript 1f · 385L Markdown 2f · 285L JSON 1f · 12L

├─ ▾ 📁 scripts

│ └─ 📜 run_x_search.mjs JavaScript 385L · 15.1 KB

├─ 📋 clawhub.json JSON 12L · 750 B

├─ 📝 README.md Markdown 81L · 2.6 KB

└─ 📝 SKILL.md Markdown 204L · 5.7 KB

安全亮点

✓ All network I/O goes exclusively to the declared Felo API base (openapi.felo.ai) over HTTPS

✓ No file system read/write operations — skill is stateless

✓ No shell command execution or subprocess invocation

✓ No iteration over environment variables or credential harvesting

✓ No obfuscation techniques (no base64, eval, or dynamic code generation)

✓ No sensitive path access (~/.ssh, ~/.aws, .env files, etc.)

✓ No data exfiltration or outbound data transfer beyond the intended API call

✓ Code is well-structured, readable, and matches the documented behavior exactly

✓ API key is read-only from environment, never logged or transmitted beyond the API call

✓ Error handling is proper — no information leakage in error messages