fnclub-signer Security Report — Trusted | ClawSafe

5 /100

fnclub-signer

飞牛论坛(club.fnnas.com)自动签到

Legitimate forum auto-sign-in skill with appropriate credential handling and local-only data storage. No malicious behavior detected.

Skill Namefnclub-signer

Duration28.8s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning dependency versions for better reproducibility.

Findings 1 items

Severity	Finding	Location
Low	Dependency versions not pinned Supply Chain package.json uses caret ranges (^1.13.6) for dependencies instead of exact versions. This could lead to unexpected behavior if major versions are released. `"axios": "^1.13.6"` → Pin exact versions (e.g., "axios": "1.13.6") for better reproducibility	`scripts/package.json:41`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	fnclub_signer.js:lines 65-70 writes cookies.json and token_cache.json to local s…
Network	`NONE`	`READ`	✓ Aligned	fnclub_signer.js:lines 32,142,162,203 makes HTTP requests to club.fnnas.com and …
Environment	`READ`	`READ`	✓ Aligned	fnclub_signer.js:lines 25-28 reads FNCLUB_USERNAME, FNCLUB_PASSWORD, BAIDU_OCR_A…
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No skill invocation

4 findings

🔗

Medium External URL 外部 URL

https://ai.baidu.com/

SKILL.md:54

🔗

Medium External URL 外部 URL

https://club.fnnas.com/

scripts/fnclub_signer.js:32

🔗

Medium External URL 外部 URL

https://aip.baidubce.com/oauth/2.0/token

scripts/fnclub_signer.js:142

🔗

Medium External URL 外部 URL

https://aip.baidubce.com/rest/2.0/ocr/v1/accurate_basic?access_token=$

scripts/fnclub_signer.js:162

File Tree

4 files · 40.2 KB · 1145 lines

JSON 2f · 677L JavaScript 1f · 370L Markdown 1f · 98L

├─ ▾ 📁 scripts

│ ├─ 📜 fnclub_signer.js JavaScript 370L · 14.2 KB

│ ├─ 📋 package-lock.json JSON 624L · 21.9 KB

│ └─ 📋 package.json JSON 53L · 1.3 KB

└─ 📝 SKILL.md Markdown 98L · 2.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.13.6`	npm	No	Version not pinned, uses caret range
`cheerio`	`^1.2.0`	npm	No	Version not pinned, uses caret range
`tough-cookie`	`^6.0.0`	npm	No	Version not pinned, uses caret range

Security Positives

✓ No credential exfiltration - credentials only sent to forum login endpoint and Baidu OCR API

✓ No shell execution or subprocess usage

✓ No obfuscation or base64-encoded payloads

✓ No sensitive file access (~/.ssh, ~/.aws, .env)

✓ No remote code execution or reverse shell behavior

✓ Documentation accurately reflects implementation behavior

✓ Local-only data storage (cookies.json, token_cache.json in scripts directory)

✓ No C2 communication or data theft detected

✓ Legitimate dependencies (axios, cheerio, tough-cookie) from known sources

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives