weibo-hot-search-anonymous Security Report — Low Risk | ClawSafe

20 /100

weibo-hot-search-anonymous

Anonymous Weibo hot search scraper using Chrome CDP

A legitimate Weibo hot search scraper using Chrome CDP that performs standard browser automation and file writing, with minor documentation gaps.

Skill Nameweibo-hot-search-anonymous

Duration28.5s

Enginepi

✓

Safe to install

Add explicit declarations for filesystem:WRITE and shell:WRITE capabilities in SKILL.md to improve transparency.

Findings 2 items

Severity	Finding	Location
Low	Undeclared shell execution capability Doc Mismatch SKILL.md metadata declares 'anyBins: [bun, npx]' but does not explicitly declare shell:WRITE permission. The implementation uses spawn/spawnSync to launch Chrome and ps/kill commands. `spawn(chromePath, chromeArgs, { stdio: 'ignore' })` → Add 'shell:WRITE' to allowed-tools declaration in SKILL.md metadata	`scripts/weibo-hot-search.ts:78`
Low	Undeclared filesystem write capability Doc Mismatch SKILL.md does not explicitly declare filesystem:WRITE permission. The script writes markdown output files to disk. `await writeFile(outputPath, lines.join('\n'), 'utf-8')` → Add 'filesystem:WRITE' to allowed-tools declaration in SKILL.md metadata	`scripts/weibo-hot-search.ts:244`

Resource	Declared	Inferred	Status	Evidence
Browser	`NONE`	`WRITE`	✓ Aligned	Chrome CDP automation in weibo-hot-search.ts:75-95
Filesystem	`NONE`	`WRITE`	✗ Violation	writeFile/mkdir in weibo-hot-search.ts:225-260
Shell	`NONE`	`WRITE`	✗ Violation	spawn/spawnSync in weibo-hot-search.ts:78, weibo-utils.ts:73,100
Network	`READ`	`READ`	✓ Aligned	CDP WebSocket to localhost, fetch to weibo.com
Environment	`NONE`	`READ`	✓ Aligned	WEIBO_BROWSER_CHROME_PATH, WEIBO_BROWSER_DEBUG_PORT in weibo-utils.ts

4 findings

🔗

Medium External URL 外部 URL

https://weibo.com/newlogin?tabtype=search

SKILL.md:15

🔗

Medium External URL 外部 URL

https://s.weibo.com/weibo?q=%23某热搜词%23

SKILL.md:61

🔗

Medium External URL 外部 URL

https://s.weibo.com/weibo?q=%23另一个热搜%23

SKILL.md:62

🔗

Medium External URL 外部 URL

https://s.weibo.com/weibo?q=%23热搜三%23

SKILL.md:63

File Tree

4 files · 25.9 KB · 692 lines

TypeScript 2f · 584L Markdown 2f · 108L

├─ ▾ 📁 scripts

│ ├─ 📜 weibo-hot-search.ts TypeScript 373L · 13.7 KB

│ └─ 📜 weibo-utils.ts TypeScript 211L · 7.6 KB

├─ 📝 LICENSE.md Markdown 7L · 906 B

└─ 📝 SKILL.md Markdown 101L · 3.7 KB

Security Positives

✓ No credential harvesting - skill does not access any API keys, passwords, or tokens

✓ No data exfiltration - no network requests to external servers beyond Weibo.com

✓ No obfuscation - all code is clear TypeScript, no base64 or encoded payloads

✓ No persistence mechanisms - no cron jobs, startup hooks, or backdoor installation

✓ No reverse shell or remote code execution vectors

✓ Uses legitimate Chrome CDP for scraping public Weibo data

✓ Anonymous browsing without Weibo account dependency (per design intent)

Scan Report

Findings 2 items

File Tree

Security Positives