taobao-shangou Security Report — Low Risk | ClawSafe

20 /100

taobao-shangou

查询淘宝闪购每日福利优惠券和红包

A legitimate Taobao coupon query tool with no malicious behavior detected; minor documentation gaps regarding declared permissions.

Skill Nametaobao-shangou

Duration32.7s

Enginepi

✓

Safe to install

Add explicit permission declarations in SKILL.md (filesystem:WRITE for caching, network:READ for API calls) to align with the capability model.

Findings 2 items

Severity	Finding	Location
Low	Missing permission declarations in SKILL.md Doc Mismatch SKILL.md does not declare the actual permissions used by the script: filesystem:WRITE (for caching) and network:READ (for API calls). While this is common practice for simple tools, it violates the capability model documentation requirement. `# 淘宝闪购每日福利查询` → Add a '## Permissions' or '## Required Capabilities' section declaring filesystem:WRITE and network:READ permissions.	`SKILL.md:1`
Low	Undeclared cache file write operation Doc Mismatch The script writes coupon data to data/latest.json for caching purposes. This filesystem write is not mentioned in SKILL.md usage instructions. `DATA_DIR / "latest.json"` → Document the caching behavior in SKILL.md or make cache writes optional/configurable.	`scripts/fetch_shangou.py:44`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/fetch_shangou.py:44-47 (save_cache writes to data/latest.json)
Network	`NONE`	`READ`	✓ Aligned	scripts/fetch_shangou.py:28-39 (urllib.request fetches from external API)
Shell	`NONE`	`NONE`	—	N/A
Environment	`NONE`	`NONE`	—	N/A
Skill Invoke	`NONE`	`NONE`	—	N/A
Clipboard	`NONE`	`NONE`	—	N/A
Browser	`NONE`	`NONE`	—	N/A
Database	`NONE`	`NONE`	—	N/A

1 findings

🔗

Medium External URL 外部 URL

https://v.jumanjian.com/api/

scripts/fetch_shangou.py:6

2 files · 5.8 KB · 211 lines

Python 1f · 148L Markdown 1f · 63L

├─ ▾ 📁 scripts

│ └─ 🐍 fetch_shangou.py Python 148L · 4.2 KB

└─ 📝 SKILL.md Markdown 63L · 1.6 KB

✓ Uses only Python standard library (urllib, json, pathlib, re) - no third-party dependencies

✓ No credential harvesting or sensitive data access patterns

✓ No subprocess execution or shell command injection vectors

✓ No base64 encoded or obfuscated code

✓ No hidden HTML comments or prompt injection attempts

✓ API call is necessary for tool functionality (legitimate coupon data source)

✓ Proper error handling with try-except blocks

✓ No persistence mechanisms (cron, startup scripts, backdoors)

✓ No exfiltration or C2 communication patterns