bangumi-tracker 安全扫描报告 — 低风险 | ClawSafe

10 /100

bangumi-tracker

Manage Bangumi collections and track watch progress via OAuth

Legitimate Bangumi collection tracker using OAuth with proper credential handling; no malicious indicators found.

技能名称bangumi-tracker

分析耗时27.6s

引擎pi

✓

可以安装

Skill is safe to use. Consider adding allowed-tools declaration to SKILL.md for completeness.

安全发现 2 项

严重性	安全发现	位置
低危	Missing allowed-tools declaration 文档欺骗 SKILL.md does not declare the required allowed-tools permissions (network:READ, filesystem:WRITE, browser:READ) that the script actually uses. `No allowed-tools section in frontmatter` → Add allowed-tools declaration to SKILL.md frontmatter specifying: Read→filesystem:READ, WebFetch→network:READ, browser→browser:READ	`SKILL.md:1`
提示	Credential storage on non-Windows platforms 敏感访问 On non-Windows platforms, tokens are stored in plaintext JSON files (~/.bangumi/token.json). This is documented but worth noting. `else: with open(TOKEN_FILE, 'w', encoding='utf-8') as f: json.dump(token, f, indent=2)` → Consider using keyring or similar library for cross-platform secure storage	`bangumi_tracker.py:162`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✓ 一致	Uses urllib.request for api.bgm.tv
文件系统	`NONE`	`WRITE`	✓ 一致	Writes to ~/.bangumi/config.json and ~/.bangumi/token.json
浏览器	`NONE`	`READ`	✓ 一致	webbrowser.open() for OAuth flow
命令执行	`NONE`	`NONE`	—	No subprocess usage

6 项发现

🔗

中危外部 URL 外部 URL

https://bgm.tv/dev/app/create

SKILL.md:19

🔗

中危外部 URL 外部 URL

https://api.bgm.tv/v0

bangumi_tracker.py:56

🔗

中危外部 URL 外部 URL

https://bgm.tv/oauth

bangumi_tracker.py:57

🔗

中危外部 URL 外部 URL

https://bgm.tv/oauth/authorize

references/API.md:11

🔗

中危外部 URL 外部 URL

https://bgm.tv/oauth/access_token

references/API.md:14

🔗

中危外部 URL 外部 URL

https://bgm.tv/oauth/token_status

references/API.md:29

目录结构

4 文件 · 45.3 KB · 1449 行

Python 1f · 1115L Markdown 3f · 334L

├─ ▾ 📁 references

│ ├─ 📝 API.md Markdown 127L · 2.7 KB

│ └─ 📝 COMMANDS.md Markdown 112L · 3.0 KB

├─ 🐍 bangumi_tracker.py Python 1115L · 37.3 KB

└─ 📝 SKILL.md Markdown 95L · 2.3 KB

安全亮点

✓ Uses Windows Credential Manager on Windows for secure credential storage

✓ No third-party dependencies - uses only Python stdlib (urllib, ctypes)

✓ All network requests go to official Bangumi API (api.bgm.tv, bgm.tv)

✓ OAuth 2.0 with proper token refresh mechanism

✓ No shell execution, no subprocess usage

✓ No obfuscation, base64 encoding, or suspicious patterns

✓ No data exfiltration or C2 communication

✓ Clear documentation with API compliance reference