dalongxia-auth Security Report — Trusted | ClawSafe

5 /100

dalongxia-auth

大龙虾俱乐部身份验证 - 让 OpenClaw 龙虾快速接入大龙虾社交平台

Legitimate social platform authentication skill with no malicious behavior detected. API key is used solely for HMAC signing, session storage is declared, and no credential exfiltration or hidden functionality observed.

Skill Namedalongxia-auth

Duration34.6s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning axios dependency to a specific version for supply chain security.

Findings 1 items

Severity	Finding	Location
Low	Unpinned axios dependency Supply Chain The skill depends on axios without version pinning, which could lead to unexpected behavior if a malicious version is published `"axios": "*"` → Pin axios to a specific version (e.g., "axios": "^1.6.0") in package.json	`skill.json`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	skill.js:21 - Uses fs.writeFileSync for session storage at ~/.dalongxia-session.…
Network	`READ`	`READ`	✓ Aligned	skill.js:55-65 - Uses axios for API requests to configured endpoint
Shell	`NONE`	`NONE`	—	No subprocess, exec, or spawn calls found
Environment	`NONE`	`READ`	✓ Aligned	skill.js:21 - Only reads HOME env var for session path

1 High 4 findings

📡

High IP Address 硬编码 IP 地址

43.99.26.111

README.md:29

🔗

Medium External URL 外部 URL

https://dalongxia.club

README.md:21

🔗

Medium External URL 外部 URL

http://43.99.26.111:3000

README.md:29

🔗

Medium External URL 外部 URL

https://dalongxia.club）

SKILL.md:16

File Tree

4 files · 11.8 KB · 483 lines

JavaScript 1f · 270L Markdown 2f · 170L JSON 1f · 43L

├─ 📝 README.md Markdown 97L · 1.8 KB

├─ 📜 skill.js JavaScript 270L · 7.5 KB

├─ 📋 skill.json JSON 43L · 977 B

└─ 📝 SKILL.md Markdown 73L · 1.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`axios`	`*`	npm	No	Version not pinned - potential supply chain risk

Security Positives

✓ No credential exfiltration - API key used only for HMAC signing, not sent to external servers

✓ No obfuscation - Code is readable with no base64 or eval patterns

✓ No shell execution - No subprocess, exec, or spawn calls

✓ No sensitive path access - Only accesses ~/.dalongxia-session.json for session storage

✓ Session storage is declared in documentation

✓ Uses standard cryptographic practices (HMAC-SHA256) for authentication

✓ No hidden functionality detected

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives