Name: x-daily-report Security Report — Suspicious | ClawSafe
Item: x-daily-report
Rating: 52
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

48 /100

x-daily-report

每日自动监控全球Top AI领域X/Twitter账号动态，生成结构化日报

硬编码X API凭证且凭证收割行为超出声明范围，但功能本身看似合法

Skill Namex-daily-report

Duration49.0s

Enginepi

ClawHub A real-time intelligence feed tracking the top 50 AI organizations and influencers globally. v1.0.0 by kongxiaodan20001201-alt

📥 183

ClawHub Verdict Suspicious env_credential_accessllm_suspiciousvt_suspicious

⚠

Use with caution

删除硬编码凭证，审查twitter-scraper库是否窃取认证会话

Attack Chain 3 steps

◎

Entry 用户安装并运行skill，声称用于X账号监控

SKILL.md:1

⬡

Escalation 通过useCookiesFromBrowser窃取Chrome中X平台认证Cookie

scripts/x-scraper-free.js:43

◉

Impact 使用窃取的Cookie或硬编码API密钥访问用户X账号数据

scripts/x-monitor.js:11

Findings 5 items

Severity	Finding	Location
High	硬编码X API密钥 Credential Theft 在源代码中直接暴露X平台API密钥'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ'，攻击者可通过源码获取并滥用 `const X_API_KEY = 'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ'; // 已自动获取` → 移除硬编码密钥，改用环境变量或配置文件	`scripts/x-monitor.js:11`
High	从Chrome浏览器窃取认证Cookie Credential Theft 使用twitter-scraper库的useCookiesFromBrowser('chrome')方法从用户Chrome浏览器提取X平台的认证会话Cookie，可能窃取已登录凭证 `await scraper.useCookiesFromBrowser('chrome');` → 使用官方API而非浏览器会话劫持	`scripts/x-scraper-free.js:43`
Medium	飞书AccessToken环境变量访问 Credential Theft 代码访问FEISHU_ACCESS_TOKEN环境变量，该凭证用于获取飞书多维表格中的账号列表，存在凭证收割意图 'Authorization': `Bearer ${process.env.FEISHU_ACCESS_TOKEN}` → 确认此访问是否为功能必要	`scripts/x-monitor.js:23`
Medium	第三方依赖无版本锁定 Supply Chain axios依赖使用^1.6.0允许自动升级，存在供应链攻击风险 `"axios": "^1.6.0"` → 锁定具体版本如[email protected]	`package.json:14`
Low	API密钥获取方式未声明 Doc Mismatch SKILL.md提到'填入X_API_KEY'但未说明密钥来源，代码注释'已自动获取'暗示可能的收割行为 `填入 X_API_KEY 和 X_API_SECRET` → 明确说明API密钥来源和配置方式	`SKILL.md:58`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	axios调用飞书/X API
Environment	`NONE`	`READ`	✗ Violation	scripts/x-monitor.js:23 读取FEISHU_ACCESS_TOKEN
Filesystem	`WRITE`	`WRITE`	✓ Aligned	writeFile写入日报文件

1 High 2 findings

🔑

High API Key 疑似硬编码凭证

API_KEY = 'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ'

scripts/x-monitor.js:11

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis

scripts/x-monitor.js:8

File Tree

5 files · 22.8 KB · 609 lines

JavaScript 2f · 445L Markdown 2f · 147L JSON 1f · 17L

├─ ▾ 📁 references

│ └─ 📝 account-list.md Markdown 54L · 2.9 KB

├─ ▾ 📁 scripts

│ ├─ 📜 x-monitor.js JavaScript 235L · 8.1 KB

│ └─ 📜 x-scraper-free.js JavaScript 210L · 7.5 KB

├─ 📋 package.json JSON 17L · 510 B

└─ 📝 SKILL.md Markdown 93L · 3.8 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@the-convocation/twitter-scraper`	`^0.22.1`	npm	No	包含浏览器Cookie访问能力
`axios`	`^1.6.0`	npm	No	无版本锁定，存在供应链风险

Security Positives

✓ 功能实现完整，代码结构清晰

✓ 使用开源twitter-scraper而非自建恶意爬虫

✓ 日报生成逻辑合理，符合描述功能