bangumi-tracker Security Report — Low Risk | ClawSafe

10 /100

bangumi-tracker

Manage Bangumi collections and track watch progress via OAuth

Legitimate Bangumi collection tracker using OAuth with proper credential handling; no malicious indicators found.

Skill Namebangumi-tracker

Duration27.6s

Enginepi

✓

Safe to install

Skill is safe to use. Consider adding allowed-tools declaration to SKILL.md for completeness.

Findings 2 items

Severity	Finding	Location
Low	Missing allowed-tools declaration Doc Mismatch SKILL.md does not declare the required allowed-tools permissions (network:READ, filesystem:WRITE, browser:READ) that the script actually uses. `No allowed-tools section in frontmatter` → Add allowed-tools declaration to SKILL.md frontmatter specifying: Read→filesystem:READ, WebFetch→network:READ, browser→browser:READ	`SKILL.md:1`
Info	Credential storage on non-Windows platforms Sensitive Access On non-Windows platforms, tokens are stored in plaintext JSON files (~/.bangumi/token.json). This is documented but worth noting. `else: with open(TOKEN_FILE, 'w', encoding='utf-8') as f: json.dump(token, f, indent=2)` → Consider using keyring or similar library for cross-platform secure storage	`bangumi_tracker.py:162`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	Uses urllib.request for api.bgm.tv
Filesystem	`NONE`	`WRITE`	✓ Aligned	Writes to ~/.bangumi/config.json and ~/.bangumi/token.json
Browser	`NONE`	`READ`	✓ Aligned	webbrowser.open() for OAuth flow
Shell	`NONE`	`NONE`	—	No subprocess usage

6 findings

🔗

Medium External URL 外部 URL

https://bgm.tv/dev/app/create

SKILL.md:19

🔗

Medium External URL 外部 URL

https://api.bgm.tv/v0

bangumi_tracker.py:56

🔗

Medium External URL 外部 URL

https://bgm.tv/oauth

bangumi_tracker.py:57

🔗

Medium External URL 外部 URL

https://bgm.tv/oauth/authorize

references/API.md:11

🔗

Medium External URL 外部 URL

https://bgm.tv/oauth/access_token

references/API.md:14

🔗

Medium External URL 外部 URL

https://bgm.tv/oauth/token_status

references/API.md:29

File Tree

4 files · 45.3 KB · 1449 lines

Python 1f · 1115L Markdown 3f · 334L

├─ ▾ 📁 references

│ ├─ 📝 API.md Markdown 127L · 2.7 KB

│ └─ 📝 COMMANDS.md Markdown 112L · 3.0 KB

├─ 🐍 bangumi_tracker.py Python 1115L · 37.3 KB

└─ 📝 SKILL.md Markdown 95L · 2.3 KB

Security Positives

✓ Uses Windows Credential Manager on Windows for secure credential storage

✓ No third-party dependencies - uses only Python stdlib (urllib, ctypes)

✓ All network requests go to official Bangumi API (api.bgm.tv, bgm.tv)

✓ OAuth 2.0 with proper token refresh mechanism

✓ No shell execution, no subprocess usage

✓ No obfuscation, base64 encoding, or suspicious patterns

✓ No data exfiltration or C2 communication

✓ Clear documentation with API compliance reference

Scan Report

Findings 2 items

File Tree

Security Positives