zhihu-fetcher 安全扫描报告 — 低风险 | ClawSafe

20 /100

zhihu-fetcher

知乎数据获取 - 极简设计，支持三级认证降级（Browser Profile → File Cookie → Fallback），确保数据可靠获取

Zhihu data fetcher with legitimate web scraping functionality. One suspicious hardcoded IP (120.0.0.0) detected but appears to be placeholder/typo rather than malicious C2 indicator.

技能名称zhihu-fetcher

分析耗时68.3s

引擎pi

✓

可以安装

Verify the hardcoded IP address in snippets/cookie-manager.js:64 is intentional and legitimate before production use. Consider removing any unused test IPs.

安全发现 2 项

严重性	安全发现	位置
低危	Hardcoded IP Address (120.0.0.0) 敏感访问 A hardcoded IP address 120.0.0.0 was detected in snippets/cookie-manager.js. 120.0.0.0/8 is an APNIC-allocated public IP range. While this appears to be a placeholder or typo (it's the network address, not typically used as server IP), it warrants verification. `Referenced as HIGH IOC in pre-scan` → Verify this IP is intentional. If unused, remove it. If meant to be a placeholder, use a clearly commented placeholder like '0.0.0.0' or 'YOUR_IP_HERE'.	`snippets/cookie-manager.js:64`
低危	Plaintext Cookie Storage 凭证窃取 Zhihu session cookies (zhihu_session, z_c0, _xsrf, etc.) are stored in plaintext in config/fallback-sources.json. While this is necessary for the file_cookie authentication method, the SKILL.md notes '安全性 - cookie 配置文件中不要提交到 Git' which acknowledges the risk. `"zhihu_session": "V3afjq4jBt1mb7X8LoeX59PCWips42Mt8eq47xaduUI"` → Consider adding config/fallback-sources.json to .gitignore. The skill documentation already recommends this, but could make it more prominent.	`config/fallback-sources.json:5`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	scripts/generate_html.py:310 - writes to data/index.html
网络访问	`READ`	`READ`	✓ 一致	All network calls are HTTPS to zhihu.com and githubusercontent.com
命令执行	`NONE`	`READ`	✓ 一致	scripts/save_to_db.py:32 - subprocess.run(['node', ...]) for Node.js script exec…
环境变量	`NONE`	`NONE`	—	No environment variable access detected
数据库	`WRITE`	`WRITE`	✓ 一致	SQLite operations in scripts/db.py, clearly documented
浏览器	`READ`	`READ`	✓ 一致	Browser extraction snippets read DOM for data extraction

1 高危 30 项发现

📡

高危 IP 地址硬编码 IP 地址

120.0.0.0

snippets/cookie-manager.js:64

🔗

中危外部 URL 外部 URL

https://www.zhihu.com

SKILL.md:41

🔗

中危外部 URL 外部 URL

https://api.example.com/zhihu-hot.json

SKILL.md:299

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016604377415120691

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016607467954467246

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016444661095424928

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016214590560625837

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016458550067613931

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016267906896322825

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/398694606

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2015113794855142897

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2015300831826690616

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2015024147378500415

data/index.html:274

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2015804010213373773

data/zhihu-hot-2026-03-15.json:10

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2015910417793320691

data/zhihu-hot-2026-03-15.json:11

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016280494870853302

data/zhihu-hot-2026-03-15.json:12

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/455135036

data/zhihu-hot-2026-03-15.json:13

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016099547433161361

data/zhihu-hot-2026-03-15.json:14

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2015551066716989113

data/zhihu-hot-2026-03-15.json:16

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/2016526047311577504

data/zhihu-hot-2026-03-15.json:18

🔗

中危外部 URL 外部 URL

https://zhihu.com/question/1

scripts/db.py:177

🔗

中危外部 URL 外部 URL

https://zhihu.com/question/2

scripts/db.py:178

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/hot

snippets/browser-research.js:5

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/api/v3/feed/topstory/hot-list-web?limit=$

snippets/cookie-manager.js:115

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/question/$

snippets/cookie-manager.js:132

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/

snippets/research-anti-crawl.js:38

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/api/v3/feed/topstory/hot-list-web?limit=3

snippets/test-hot-structure.js:83

🔗

中危外部 URL 外部 URL

https://api.zhihu.com/people/self

snippets/test-zhihu-vapi-style.js:7

🔗

中危外部 URL 外部 URL

https://www.zhihu.com/api/v3/feed/topstory/hot-list-web?limit=10

snippets/test-zhihu-vapi-style.js:160

🔗

中危外部 URL 外部 URL

https://api.zhihu.com/topstory/hot-list?limit=10

snippets/test-zhihu-vapi-style.js:161

目录结构

25 文件 · 100.4 KB · 3260 行

JavaScript 15f · 1412L Python 5f · 1037L HTML 1f · 386L Markdown 1f · 366L JSON 3f · 59L

├─ ▾ 📁 config

│ └─ 📋 fallback-sources.json JSON 38L · 1.1 KB

├─ ▾ 📁 data

│ ├─ 📄 index.html HTML 386L · 14.2 KB

│ └─ 📋 zhihu-hot-2026-03-15.json JSON 20L · 2.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 db.py Python 194L · 5.6 KB

│ ├─ 🐍 generate_html.py Python 467L · 14.4 KB

│ ├─ 🐍 init_db.py Python 73L · 2.8 KB

│ ├─ 🐍 query.py Python 170L · 5.1 KB

│ └─ 🐍 save_to_db.py Python 133L · 3.8 KB

├─ ▾ 📁 snippets

│ ├─ 📜 browser-research.js JavaScript 104L · 2.8 KB

│ ├─ 📜 cookie-manager.js JavaScript 167L · 4.5 KB

│ ├─ 📜 fallback.js JavaScript 127L · 2.8 KB

│ ├─ 📜 fetch-hot.js JavaScript 161L · 4.6 KB

│ ├─ 📜 hot.js JavaScript 10L · 407 B

│ ├─ 📜 rate-limiter.js JavaScript 47L · 934 B

│ ├─ 📜 research-anti-crawl.js JavaScript 195L · 5.4 KB

│ ├─ 📜 search.js JavaScript 23L · 997 B

│ ├─ 📜 setup-cookie.js JavaScript 62L · 1.8 KB

│ ├─ 📜 test-fallback.js JavaScript 37L · 1006 B

│ ├─ 📜 test-file-cookie.js JavaScript 76L · 2.3 KB

│ ├─ 📜 test-fixed-cookie.js JavaScript 28L · 710 B

│ ├─ 📜 test-hot-structure.js JavaScript 104L · 3.0 KB

│ ├─ 📜 test-simple.js JavaScript 57L · 1.6 KB

│ └─ 📜 test-zhihu-vapi-style.js JavaScript 214L · 7.2 KB

├─ 📋 _meta.json JSON 1L · 19 B

└─ 📝 SKILL.md Markdown 366L · 11.1 KB

安全亮点

✓ No base64-encoded commands or obfuscated code detected

✓ No curl|bash or wget|sh remote script execution

✓ No credential harvesting loops over environment variables

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive host paths

✓ No reverse shell, C2 communication, or data exfiltration patterns

✓ SQLite database is scoped to project data directory (data/zhihu.db)

✓ Network requests limited to legitimate targets (zhihu.com API, githubusercontent.com fallback)

✓ Rate limiting implemented to prevent abuse (2000ms default)

✓ Authentication methods clearly documented in SKILL.md