中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:20 小时前 重新扫描
5 /100
brave-loggedin-tag-browsing
使用 Brave 瀏覽器(已登入狀態)瀏覽 X/Twitter、Facebook 用戶頁面並提取最新帖子
This is a legitimate social media scraping tool using Playwright for browser automation to extract public posts from X/Twitter and Facebook. No malicious behavior, credential theft, or data exfiltration detected.
技能名称brave-loggedin-tag-browsing
分析耗时56.1s
引擎pi
可以安装
This skill is safe to use. Minor improvements: fix hardcoded path in dist/index.js and correct the undefined export reference in execute.js.

安全发现 2 项

严重性 安全发现 位置
低危
Minor path inconsistency 文档欺骗
dist/index.js has hardcoded path /home/shuttle/.config/google-chrome instead of using dynamic os.homedir() like index.js does. This limits portability.
const userDataDir = `/home/shuttle/.config/google-chrome`;
→ Use path.join(os.homedir(), '.config', 'google-chrome') for cross-platform compatibility
 dist/index.js:68
低危
Undefined export reference 文档欺骗
execute.js imports 'braveBrowseX' from index.js but this function is not exported - only 'braveBrowsePlatform' is exported.
const { braveBrowseX } = require('./index');
→ Change to 'braveBrowsePlatform' or export braveBrowseX alias
 execute.js:7
资源类型声明权限推断权限状态证据
浏览器 READ READ ✓ 一致 Playwright CDP connection to existing browser
浏览器 WRITE WRITE ✓ 一致 launchPersistentContext creates new Brave instance
文件系统 READ READ ✓ 一致 Accesses browser userDataDir via Playwright for session persistence
命令执行 NONE NONE No subprocess or shell execution detected
网络访问 NONE READ ✓ 一致 Only connects to x.com and facebook.com for scraping
3 项发现
🔗
中危 外部 URL 外部 URL
https://twitter.com/$
dist/index.js:27
🔗
中危 外部 URL 外部 URL
https://www.facebook.com/$
dist/index.js:45
🔗
中危 外部 URL 外部 URL
https://clawhub.com/skills/brave-loggedin-tag-browsing
skill.json:98

目录结构

12 文件 · 61.3 KB · 1731 行
JavaScript 5f · 628L JSON 4f · 433L Markdown 2f · 382L TypeScript 1f · 288L
├─ 📁 dist
│ └─ 📜 index.js JavaScript 227L · 10.6 KB
├─ 📜 cli.js JavaScript 41L · 1.1 KB
├─ 📜 execute.js JavaScript 42L · 1.1 KB
├─ 📜 index.js JavaScript 171L · 6.7 KB
├─ 📜 index.ts TypeScript 288L · 10.9 KB
├─ 📋 package-lock.json JSON 283L · 9.9 KB
├─ 📋 package.json JSON 27L · 600 B
├─ 📝 README.md Markdown 276L · 8.5 KB
├─ 📋 skill.json JSON 105L · 3.9 KB
├─ 📝 SKILL.md Markdown 106L · 3.0 KB
├─ 📜 test-facebook.js JavaScript 147L · 4.7 KB
└─ 📋 tsconfig.json JSON 18L · 455 B

依赖分析 1 项

包名版本来源已知漏洞备注
playwright ^1.58.2 npm Version has caret range, recommend exact pinning

安全亮点

✓ No shell execution or subprocess usage
✓ No credential harvesting or environment variable access
✓ No data exfiltration to external servers
✓ No base64 encoding or obfuscation
✓ No remote script download (curl|bash, wget|sh)
✓ Uses legitimate Playwright library for browser automation
✓ Documentation accurately describes the scraping functionality
✓ Only accesses publicly available social media data
✓ No supply chain risks - uses well-known playwright package with version pinned