中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:23 hr ago Rescan
5 /100
castreader
URL to audio: extract any web page and convert to natural AI speech (Kokoro TTS). No API key needed.
CastReader is a legitimate URL-to-audio TTS skill with no malicious behavior; pre-scan critical flags are false positives from standard audio decoding and browser emulation.
Skill Namecastreader
Duration35.3s
Enginepi
Safe to install
Approve for use. Consider pinning puppeteer to a specific version in package.json for tighter supply-chain hygiene.

Findings 1 items

Severity Finding Location
Low
puppeteer version loosely pinned Supply Chain
puppeteer is declared as ^23.0.0 without a specific version pin. While no known CVEs are associated with this package, loose pinning allows the dependency to receive major updates without re-evaluation.
"puppeteer": "^23.0.0"
→ Pin to a specific version, e.g., "puppeteer": "23.0.0"
 package.json:11
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned Writes to /tmp/castreader-* dirs and user library — declared in SKILL.md (Mode B…
Network READ READ ✓ Aligned POSTs to api.castreader.ai for TTS; GETs target URLs for content extraction
Shell NONE NONE execFileSync('node', ...) only spawns node sub-script; not shell arbitrary execu…
Environment READ READ ✓ Aligned Reads CASTREADER_API_KEY, CASTREADER_API_URL, CASTREADER_VOICE, CASTREADER_SPEED…
1 Critical 1 High 15 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(audioBase64, 'base64'
scripts/generate-text.js:85
📡
High IP Address 硬编码 IP 地址
131.0.0.0
scripts/extract.js:42
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/OpenClaw-Skill-blue
README.md:3
🔗
Medium External URL 外部 URL
https://clawhub.ai/vinxu/castreader
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-green.svg
README.md:4
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/platform-macOS%20%7C%20Linux%20%7C%20Windows-lightgrey
README.md:5
🔗
Medium External URL 外部 URL
https://paulgraham.com/greatwork.html
README.md:10
🔗
Medium External URL 外部 URL
https://huggingface.co/hexgrad/Kokoro-82M
README.md:95
🔗
Medium External URL 外部 URL
https://api.castreader.ai
README.md:97
🔗
Medium External URL 外部 URL
https://castreader.ai
README.md:101
🔗
Medium External URL 外部 URL
https://chromewebstore.google.com/detail/castreader-tts-reader/foammmkhpbeladledijkdljlechlclpb
README.md:102
🔗
Medium External URL 外部 URL
https://microsoftedge.microsoft.com/addons/detail/niidajfbelfcgnkmnpcmdlioclhljaaj
README.md:103
🔗
Medium External URL 外部 URL
https://castreader.ai/openclaw
SKILL.md:16
🔗
Medium External URL 外部 URL
https://www.patreon.com/feross
package-lock.json:248
🔗
Medium External URL 外部 URL
https://feross.org/support
package-lock.json:252

File Tree

9 files · 74.0 KB · 2308 lines
JSON 2f · 1222L JavaScript 4f · 702L Markdown 3f · 384L
├─ 📁 references
│ └─ 📝 castreader-api.md Markdown 76L · 2.1 KB
├─ 📁 scripts
│ ├─ 📜 extract.js JavaScript 87L · 2.3 KB
│ ├─ 📜 generate-text.js JavaScript 123L · 3.3 KB
│ ├─ 📜 read-url.js JavaScript 214L · 6.2 KB
│ └─ 📜 sync-books.js JavaScript 278L · 8.6 KB
├─ 📋 package-lock.json JSON 1208L · 42.3 KB
├─ 📋 package.json JSON 14L · 391 B
├─ 📝 README.md Markdown 108L · 3.2 KB
└─ 📝 SKILL.md Markdown 200L · 5.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
puppeteer ^23.0.0 npm No Major version loosely pinned; no known CVEs

Security Positives

✓ All network requests go exclusively to api.castreader.ai — the documented TTS service
✓ No credential harvesting or exfiltration — CASTREADER_API_KEY is only sent to the legitimate endpoint
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No shell command injection or arbitrary command execution
✓ Filesystem writes are scoped to /tmp/castreader-* and user library at ~/castreader-library/
✓ No hidden instructions, obfuscated code, or shadow functionality
✓ SKILL.md accurately describes all implemented capabilities