E-Commerce Price Monitor and Competitive Intel 安全扫描报告 — 低风险 | ClawSafe

15 /100

E-Commerce Price Monitor and Competitive Intel

Monitor product prices across Amazon, eBay, Walmart, AliExpress, Zalando and Google Shopping in real time using Apify scrapers

This is a legitimate e-commerce price monitoring skill that uses Apify APIs for web scraping, with no malicious behavior detected. Minor issues include unpinned dependencies and generic marketing language.

技能名称E-Commerce Price Monitor and Competitive Intel

分析耗时25.7s

引擎pi

✓

可以安装

No immediate action required. Consider pinning npm dependencies to specific versions for reproducible builds.

安全发现 3 项

严重性	安全发现	位置
低危	Unpinned npm dependencies 供应链 The skill instructs users to run `npm install apify-client axios` without specifying versions. This allows dependency hijacking if a package is typosquatted or a new malicious version is published. `npm install apify-client axios` → Pin to specific versions: npm install apify-client@latest axios@latest or use a package.json	`SKILL.md:59`
低危	Affiliate links in documentation 文档欺骗 All Apify links contain affiliate tracking parameter ?fpr=dx06p, meaning every user who signs up through these links generates revenue for the skill author. While disclosed, this represents a financial incentive not explicitly flagged as such. `https://www.apify.com?fpr=dx06p` → Consider adding an explicit disclosure that links contain affiliate codes	`SKILL.md:1`
提示	No allowed-tools declaration 权限提升 The skill provides no allowed-tools section declaring required permissions (e.g., network:READ, filesystem:READ). While this is a documentation-heavy skill with no implementation scripts, a proper declaration would improve transparency. `(no allowed-tools section)` → Add an allowed-tools section if this skill will be used with a tool-calling harness	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Code examples use readFileSync/writeFileSync, scoped to skill data
网络访问	`NONE`	`READ`	✓ 一致	HTTP calls to Apify API, Anthropic API, and user webhooks are all documented and…
命令执行	`NONE`	`NONE`	—	No shell execution found; only npm install and Node.js code examples
环境变量	`NONE`	`READ`	✓ 一致	Uses process.env for APIFY_TOKEN, CLAUDE_API_KEY, WEBHOOK_URL — documented and n…
数据库	`NONE`	`NONE`	—	No database access
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
技能调用	`NONE`	`NONE`	—	No nested skill invocation

6 项发现

🔗

中危外部 URL 外部 URL

https://www.apify.com?fpr=dx06p

SKILL.md:13

🔗

中危外部 URL 外部 URL

https://www.amazon.com/dp/B09G9HD6PD

SKILL.md:105

🔗

中危外部 URL 外部 URL

https://www.amazon.com/dp/B08N5WRWNW

SKILL.md:106

🔗

中危外部 URL 外部 URL

https://www.amazon.com/dp/B09XS7JWHH

SKILL.md:107

🔗

中危外部 URL 外部 URL

https://hooks.slack.com/your-webhook

SKILL.md:281

🔗

中危外部 URL 外部 URL

https://console.apify.com/schedules

SKILL.md:462

目录结构

1 文件 · 17.3 KB · 520 行

Markdown 1f · 520L

└─ 📝 SKILL.md Markdown 520L · 17.3 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`apify-client`	`*`	npm	否	Version not pinned in SKILL.md
`axios`	`*`	npm	否	Version not pinned in SKILL.md

安全亮点

✓ No malicious code, obfuscation, or base64 payloads found

✓ No credential harvesting or data exfiltration beyond documented API calls

✓ No shell command execution or remote script fetching

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2 communication, or persistence mechanisms

✓ API calls are all to legitimate, documented third-party services (Apify, Anthropic)

✓ Environment variable usage for credentials is standard practice

✓ File I/O is scoped to local price reports with standard paths