weibo-hot-search-anonymous 安全扫描报告 — 低风险 | ClawSafe

20 /100

weibo-hot-search-anonymous

Anonymous Weibo hot search scraper using Chrome CDP

A legitimate Weibo hot search scraper using Chrome CDP that performs standard browser automation and file writing, with minor documentation gaps.

技能名称weibo-hot-search-anonymous

分析耗时28.5s

引擎pi

✓

可以安装

Add explicit declarations for filesystem:WRITE and shell:WRITE capabilities in SKILL.md to improve transparency.

安全发现 2 项

严重性	安全发现	位置
低危	Undeclared shell execution capability 文档欺骗 SKILL.md metadata declares 'anyBins: [bun, npx]' but does not explicitly declare shell:WRITE permission. The implementation uses spawn/spawnSync to launch Chrome and ps/kill commands. `spawn(chromePath, chromeArgs, { stdio: 'ignore' })` → Add 'shell:WRITE' to allowed-tools declaration in SKILL.md metadata	`scripts/weibo-hot-search.ts:78`
低危	Undeclared filesystem write capability 文档欺骗 SKILL.md does not explicitly declare filesystem:WRITE permission. The script writes markdown output files to disk. `await writeFile(outputPath, lines.join('\n'), 'utf-8')` → Add 'filesystem:WRITE' to allowed-tools declaration in SKILL.md metadata	`scripts/weibo-hot-search.ts:244`

资源类型	声明权限	推断权限	状态	证据
浏览器	`NONE`	`WRITE`	✓ 一致	Chrome CDP automation in weibo-hot-search.ts:75-95
文件系统	`NONE`	`WRITE`	✗ 越权	writeFile/mkdir in weibo-hot-search.ts:225-260
命令执行	`NONE`	`WRITE`	✗ 越权	spawn/spawnSync in weibo-hot-search.ts:78, weibo-utils.ts:73,100
网络访问	`READ`	`READ`	✓ 一致	CDP WebSocket to localhost, fetch to weibo.com
环境变量	`NONE`	`READ`	✓ 一致	WEIBO_BROWSER_CHROME_PATH, WEIBO_BROWSER_DEBUG_PORT in weibo-utils.ts

4 项发现

🔗

中危外部 URL 外部 URL

https://weibo.com/newlogin?tabtype=search

SKILL.md:15

🔗

中危外部 URL 外部 URL

https://s.weibo.com/weibo?q=%23某热搜词%23

SKILL.md:61

🔗

中危外部 URL 外部 URL

https://s.weibo.com/weibo?q=%23另一个热搜%23

SKILL.md:62

🔗

中危外部 URL 外部 URL

https://s.weibo.com/weibo?q=%23热搜三%23

SKILL.md:63

4 文件 · 25.9 KB · 692 行

TypeScript 2f · 584L Markdown 2f · 108L

├─ ▾ 📁 scripts

│ ├─ 📜 weibo-hot-search.ts TypeScript 373L · 13.7 KB

│ └─ 📜 weibo-utils.ts TypeScript 211L · 7.6 KB

├─ 📝 LICENSE.md Markdown 7L · 906 B

└─ 📝 SKILL.md Markdown 101L · 3.7 KB

✓ No credential harvesting - skill does not access any API keys, passwords, or tokens

✓ No data exfiltration - no network requests to external servers beyond Weibo.com

✓ No obfuscation - all code is clear TypeScript, no base64 or encoded payloads

✓ No persistence mechanisms - no cron jobs, startup hooks, or backdoor installation

✓ No reverse shell or remote code execution vectors

✓ Uses legitimate Chrome CDP for scraping public Weibo data

✓ Anonymous browsing without Weibo account dependency (per design intent)