方正鸿云编辑助手 Security Report — Low Risk | ClawSafe

5 /100

方正鸿云编辑助手

Automation skill for Founder academic publishing cloud platform

This is a legitimate academic publishing platform automation skill with comprehensive security documentation. All declared capabilities (browser, exec) match documented usage patterns.

Skill Name方正鸿云编辑助手

Duration34.6s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure the exec permission is acceptable for your environment given its use of curl for WeChat API calls.

Findings 2 items

Severity	Finding	Location
Low	exec permission declared for WeChat API Priv Escalation The skill declares exec permission for curl-based WeChat API calls. While documented, exec provides broader shell access than browser-only approach. `"exec": true` → Verify exec permission is acceptable for your environment. The curl targets are domain-restricted to api.weixin.qq.com.	`_meta.json:27`
Info	Temporary file writes for WeChat publishing Sensitive Access Skill writes HTML content to /tmp for WeChat article processing. Files are temporary and not persisted. `# 将获取的 HTML 保存到 /tmp/wechat_article_{article_id}.html` → Not a security concern as files are temporary and cleaned after session.	`SKILL.md:220`

Resource	Declared	Inferred	Status	Evidence
Browser	`READ`	`READ`	✓ Aligned	_meta.json declares browser:true; SKILL.md uses browser.open/act for login and p…
Network	`READ`	`READ`	✓ Aligned	SKILL.md restricts API calls to FOUNDER_PLATFORM_URL and api.weixin.qq.com
Shell	`WRITE`	`WRITE`	✓ Aligned	_meta.json declares exec:true; SKILL.md shows curl commands for WeChat API
Filesystem	`NONE`	`WRITE`	✓ Aligned	SKILL.md step 2.1 saves HTML to /tmp/wechat_article_{article_id}.html

11 findings

🔗

Medium External URL 外部 URL

http://journal.portal.founderss.cn/）

SKILL.md:5

🔗

Medium External URL 外部 URL

http://journal.portal.founderss.cn/

SKILL.md:18

🔗

Medium External URL 外部 URL

https://mp.weixin.qq.com/

SKILL.md:30

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=$

SKILL.md:394

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/material/add_material?access_token=$

SKILL.md:400

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/draft/add?access_token=$

SKILL.md:408

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/freepublish/submit?access_token=$

SKILL.md:427

🔗

Medium External URL 外部 URL

https://api.weixin.qq.com/cgi-bin/freepublish/get?access_token=$

SKILL.md:435

🔗

Medium External URL 外部 URL

http://mp.weixin.qq.com/s?...

SKILL.md:438

🔗

Medium External URL 外部 URL

http://html.journal.founderss.cn/...

SKILL.md:824

🔗

Medium External URL 外部 URL

https://clawhub.ai/behurry/founder-hy-editor-browser

_meta.json:9

File Tree

3 files · 34.8 KB · 1147 lines

Markdown 2f · 1057L JSON 1f · 90L

├─ 📋 _meta.json JSON 90L · 2.6 KB

├─ 📝 setup.md Markdown 134L · 3.5 KB

└─ 📝 SKILL.md Markdown 923L · 28.7 KB

Security Positives

✓ All API targets are explicitly declared and domain-restricted

✓ No credential theft or exfiltration behavior

✓ Cookies stored only in session memory, not persisted to files

✓ Comprehensive security documentation with clear trust model

✓ No obfuscation, base64 encoded commands, or suspicious patterns

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No reverse shell, C2, or data theft indicators

✓ Open source skill with full code transparency

✓ Browser same-origin policy provides additional security layer

Scan Report

Findings 2 items

File Tree

Security Positives