方正鸿云编辑助手安全扫描报告 — 低风险 | ClawSafe

5 /100

方正鸿云编辑助手

Automation skill for Founder academic publishing cloud platform

This is a legitimate academic publishing platform automation skill with comprehensive security documentation. All declared capabilities (browser, exec) match documented usage patterns.

技能名称方正鸿云编辑助手

分析耗时34.6s

引擎pi

✓

可以安装

This skill is safe to use. Ensure the exec permission is acceptable for your environment given its use of curl for WeChat API calls.

安全发现 2 项

严重性	安全发现	位置
低危	exec permission declared for WeChat API 权限提升 The skill declares exec permission for curl-based WeChat API calls. While documented, exec provides broader shell access than browser-only approach. `"exec": true` → Verify exec permission is acceptable for your environment. The curl targets are domain-restricted to api.weixin.qq.com.	`_meta.json:27`
提示	Temporary file writes for WeChat publishing 敏感访问 Skill writes HTML content to /tmp for WeChat article processing. Files are temporary and not persisted. `# 将获取的 HTML 保存到 /tmp/wechat_article_{article_id}.html` → Not a security concern as files are temporary and cleaned after session.	`SKILL.md:220`

资源类型	声明权限	推断权限	状态	证据
浏览器	`READ`	`READ`	✓ 一致	_meta.json declares browser:true; SKILL.md uses browser.open/act for login and p…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md restricts API calls to FOUNDER_PLATFORM_URL and api.weixin.qq.com
命令执行	`WRITE`	`WRITE`	✓ 一致	_meta.json declares exec:true; SKILL.md shows curl commands for WeChat API
文件系统	`NONE`	`WRITE`	✓ 一致	SKILL.md step 2.1 saves HTML to /tmp/wechat_article_{article_id}.html

11 项发现

🔗

中危外部 URL 外部 URL

http://journal.portal.founderss.cn/）

SKILL.md:5

🔗

中危外部 URL 外部 URL

http://journal.portal.founderss.cn/

SKILL.md:18

🔗

中危外部 URL 外部 URL

https://mp.weixin.qq.com/

SKILL.md:30

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=$

SKILL.md:394

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/material/add_material?access_token=$

SKILL.md:400

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/draft/add?access_token=$

SKILL.md:408

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/freepublish/submit?access_token=$

SKILL.md:427

🔗

中危外部 URL 外部 URL

https://api.weixin.qq.com/cgi-bin/freepublish/get?access_token=$

SKILL.md:435

🔗

中危外部 URL 外部 URL

http://mp.weixin.qq.com/s?...

SKILL.md:438

🔗

中危外部 URL 外部 URL

http://html.journal.founderss.cn/...

SKILL.md:824

🔗

中危外部 URL 外部 URL

https://clawhub.ai/behurry/founder-hy-editor-browser

_meta.json:9

目录结构

3 文件 · 34.8 KB · 1147 行

Markdown 2f · 1057L JSON 1f · 90L

├─ 📋 _meta.json JSON 90L · 2.6 KB

├─ 📝 setup.md Markdown 134L · 3.5 KB

└─ 📝 SKILL.md Markdown 923L · 28.7 KB

安全亮点

✓ All API targets are explicitly declared and domain-restricted

✓ No credential theft or exfiltration behavior

✓ Cookies stored only in session memory, not persisted to files

✓ Comprehensive security documentation with clear trust model

✓ No obfuscation, base64 encoded commands, or suspicious patterns

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No reverse shell, C2, or data theft indicators

✓ Open source skill with full code transparency

✓ Browser same-origin policy provides additional security layer