CloudSMS 群发短信安全扫描报告 — 低风险 | ClawSafe

15 /100

CloudSMS 群发短信

发送批量短信到多个手机号码，支持国内外号码

Legitimate bulk SMS sending skill that makes HTTP requests to a declared API endpoint with no malicious behavior detected.

技能名称CloudSMS 群发短信

分析耗时30.6s

引擎pi

✓

可以安装

The skill is safe to use. Consider adding explicit permission declarations (network:READ) in SKILL.md for better transparency.

安全发现 1 项

严重性	安全发现	位置
低危	Missing permission declarations 文档欺骗 SKILL.md mentions the API endpoint but does not explicitly declare network:READ permission in the capability model `API 地址：https://cpaas-sms.cmidict.com:1820/uips` → Add explicit permission declarations following the capability model format	`SKILL.md:74`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✓ 一致	scripts/send_bulk_sms.py:35 - requests.post(API_URL, json=payload)
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
文件系统	`NONE`	`NONE`	—	No file read/write operations

1 项发现

🔗

中危外部 URL 外部 URL

https://cpaas-sms.cmidict.com:1820/uips

SKILL.md:74

2 文件 · 5.9 KB · 216 行

Python 1f · 115L Markdown 1f · 101L

├─ ▾ 📁 scripts

│ └─ 🐍 send_bulk_sms.py Python 115L · 3.2 KB

└─ 📝 SKILL.md Markdown 101L · 2.7 KB

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned; requests is a widely-used legitimate library

✓ Clean, readable code with no obfuscation

✓ API endpoint is declared in SKILL.md

✓ Uses standard requests library for HTTP communication

✓ No credential harvesting beyond API keys required for the feature

✓ No data exfiltration beyond what is necessary for SMS sending

✓ Proper error handling with informative messages

✓ No subprocess, eval, or base64 encoding/decoding

✓ Dependencies are well-established (requests library)