felo-superAgent 安全扫描报告 — 可信 | ClawSafe

0 /100

felo-superAgent

AI conversation with real-time SSE streaming on a persistent LiveDoc canvas

Felo SuperAgent is a legitimate API client skill that makes authenticated HTTP requests to the Felo Open Platform API. All capabilities are properly declared, no sensitive data access, no credential exfiltration, and no suspicious execution patterns detected.

技能名称felo-superAgent

分析耗时21.1s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as described.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	HTTP requests to https://openapi.felo.ai with Bearer token authentication (run_s…
命令执行	`NONE`	`NONE`	—	SKILL.md: Shell execution not declared. Scripts use Node.js for API calls only, …
文件系统	`NONE`	`NONE`	—	No file read/write operations in scripts
环境变量	`READ`	`READ`	✓ 一致	SKILL.md declares env var usage. Scripts read FELO_API_KEY only (run_superagent.…
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser access detected
数据库	`NONE`	`NONE`	—	No database access detected
技能调用	`READ`	`READ`	✓ 一致	Depends on felo-livedoc skill for LiveDoc management (clawhub.json)

1 高危 7 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your-api-key-here"

README.md:64

🔗

中危外部 URL 外部 URL

https://felo.ai/livedoc/...

README.md:266

🔗

中危外部 URL 外部 URL

https://custom-api.example.com

README.md:376

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/docs/api-reference/v2/superagent.html

README.md:394

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai/docs/

README.md:395

🔗

中危外部 URL 外部 URL

https://felo.ai/livedoc/QPetunwpGnkKuZHStP7gwt

SKILL.md:375

🔗

中危外部 URL 外部 URL

https://openapi.felo.ai

SKILL.md:644

目录结构

5 文件 · 77.6 KB · 2005 行

Markdown 2f · 1208L JavaScript 2f · 784L JSON 1f · 13L

├─ ▾ 📁 scripts

│ ├─ 📜 run_style_library.mjs JavaScript 213L · 6.5 KB

│ └─ 📜 run_superagent.mjs JavaScript 571L · 20.4 KB

├─ 📋 clawhub.json JSON 13L · 793 B

├─ 📝 README.md Markdown 398L · 12.7 KB

└─ 📝 SKILL.md Markdown 810L · 37.2 KB

安全亮点

✓ No shell command execution - uses Node.js for all API interactions

✓ No credential exfiltration - FELO_API_KEY used only for Bearer authentication to legitimate API endpoint

✓ No sensitive path access - does not read ~/.ssh, ~/.aws, or .env files

✓ No base64/encoded payloads piped to shell

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden instructions in HTML comments or embedded data

✓ API key read from environment variable only, never hardcoded in code

✓ Clear doc-to-code alignment: SKILL.md accurately describes all functionality

✓ Scripts are self-contained JavaScript with no external dependencies requiring installation

✓ SSE streaming is standard HTTP behavior for real-time responses

✓ All external URLs point to legitimate Felo AI domain (openapi.felo.ai)