fnclub-signer 安全扫描报告 — 可信 | ClawSafe

5 /100

fnclub-signer

飞牛论坛(club.fnnas.com)自动签到

Legitimate forum auto-sign-in skill with appropriate credential handling and local-only data storage. No malicious behavior detected.

技能名称fnclub-signer

分析耗时28.8s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning dependency versions for better reproducibility.

安全发现 1 项

严重性	安全发现	位置
低危	Dependency versions not pinned 供应链 package.json uses caret ranges (^1.13.6) for dependencies instead of exact versions. This could lead to unexpected behavior if major versions are released. `"axios": "^1.13.6"` → Pin exact versions (e.g., "axios": "1.13.6") for better reproducibility	`scripts/package.json:41`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✓ 一致	fnclub_signer.js:lines 65-70 writes cookies.json and token_cache.json to local s…
网络访问	`NONE`	`READ`	✓ 一致	fnclub_signer.js:lines 32,142,162,203 makes HTTP requests to club.fnnas.com and …
环境变量	`READ`	`READ`	✓ 一致	fnclub_signer.js:lines 25-28 reads FNCLUB_USERNAME, FNCLUB_PASSWORD, BAIDU_OCR_A…
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access
技能调用	`NONE`	`NONE`	—	No skill invocation

4 项发现

🔗

中危外部 URL 外部 URL

https://ai.baidu.com/

SKILL.md:54

🔗

中危外部 URL 外部 URL

https://club.fnnas.com/

scripts/fnclub_signer.js:32

🔗

中危外部 URL 外部 URL

https://aip.baidubce.com/oauth/2.0/token

scripts/fnclub_signer.js:142

🔗

中危外部 URL 外部 URL

https://aip.baidubce.com/rest/2.0/ocr/v1/accurate_basic?access_token=$

scripts/fnclub_signer.js:162

目录结构

4 文件 · 40.2 KB · 1145 行

JSON 2f · 677L JavaScript 1f · 370L Markdown 1f · 98L

├─ ▾ 📁 scripts

│ ├─ 📜 fnclub_signer.js JavaScript 370L · 14.2 KB

│ ├─ 📋 package-lock.json JSON 624L · 21.9 KB

│ └─ 📋 package.json JSON 53L · 1.3 KB

└─ 📝 SKILL.md Markdown 98L · 2.8 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.13.6`	npm	否	Version not pinned, uses caret range
`cheerio`	`^1.2.0`	npm	否	Version not pinned, uses caret range
`tough-cookie`	`^6.0.0`	npm	否	Version not pinned, uses caret range

安全亮点

✓ No credential exfiltration - credentials only sent to forum login endpoint and Baidu OCR API

✓ No shell execution or subprocess usage

✓ No obfuscation or base64-encoded payloads

✓ No sensitive file access (~/.ssh, ~/.aws, .env)

✓ No remote code execution or reverse shell behavior

✓ Documentation accurately reflects implementation behavior

✓ Local-only data storage (cookies.json, token_cache.json in scripts directory)

✓ No C2 communication or data theft detected

✓ Legitimate dependencies (axios, cheerio, tough-cookie) from known sources