中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:1 day ago Rescan
25 /100
article-archiver
Automatically archive web articles and Twitter Articles to Feishu documents
Article archiving tool with legitimate functionality but containing credential storage weaknesses and hardcoded API secrets that pose moderate security risks.
Skill Namearticle-archiver
Duration51.0s
Enginepi
Safe to install
Remove hardcoded credentials from source code and use environment variables or secure secret management for API keys and tokens. Move twitter-cookies.txt to a more secure credential store.

Findings 3 items

Severity Finding Location
Medium
Hardcoded Feishu API Secret Credential Theft
The Feishu app_secret is hardcoded in plain text within archive-simple.py. This credential should be stored in environment variables or a secure secret manager.
app_secret":"gdEsio0WzDtHEhHFeLS55wBseDpExVtg"
→ Use environment variable FEISHU_APP_SECRET or integrate with a secret manager like Vault or AWS Secrets Manager.
 scripts/archive-simple.py:30
Medium
Plain Text Twitter Credential Storage Sensitive Access
Twitter authentication tokens (auth_token, ct0, twid) are stored in plain text in config/twitter-cookies.txt. This file is readable and contains sensitive session credentials.
auth_token=170c0acd24505948b5d0a7f7d216c635bf1a9988;...
→ Use encrypted storage or environment variables for sensitive tokens. Consider using a credentials manager.
 config/twitter-cookies.txt:1
Low
Incomplete Capability Declaration Doc Mismatch
SKILL.md does not explicitly declare that this skill accesses credential files (twitter-cookies.txt) or makes direct API calls with stored secrets.
SKILL.md describes web_fetch and feishu_doc tool usage but does not mention direct API calls with hardcoded credentials
→ Add a 'Security Considerations' section documenting credential storage and API usage patterns.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares read access; scripts read config files and scripts
Shell WRITE WRITE ✓ Aligned SKILL.md declares shell:WRITE; bash scripts execute commands via subprocess
Network READ READ ✓ Aligned SKILL.md declares web_fetch usage; scripts make HTTP requests to Twitter and Fei…
Browser READ READ ✓ Aligned SKILL.md declares agent-browser usage for page extraction
Environment NONE NONE No environment variable access detected
48 findings
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/[^
LESSONS.md:259
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/UUlNwgXSriOGf4kD0RLcECSVnYo
LESSONS.md:304
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/ZVCFwN7bci1uyhknLpucA18FnSe):
SKILL.md:67
🔗
Medium External URL 外部 URL
https://x.com/...
SKILL.md:109
🔗
Medium External URL 外部 URL
https://twitter.com/...
SKILL.md:109
🔗
Medium External URL 外部 URL
https://mp.weixin.qq.com/...
SKILL.md:110
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/$EXISTING_NODE
SKILL.md:140
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/YziUwLVlBi9BX7kVtkJcf7nQns2
SKILL.md:460
🔗
Medium External URL 外部 URL
https://x.com/username/status/123456789
SKILL.md:523
🔗
Medium External URL 外部 URL
https://twitter.com/username/status/123456789
SKILL.md:524
🔗
Medium External URL 外部 URL
https://mp.weixin.qq.com/s/...
SKILL.md:534
🔗
Medium External URL 外部 URL
https://x.com/mkdir700/status/2020652753190887566
SKILL.md:557
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/XXX
SKILL.md:573
🔗
Medium External URL 外部 URL
https://mp.weixin.qq.com/s/abc123
SKILL.md:599
🔗
Medium External URL 外部 URL
https://x.com/someuser/status/123(Cookie
SKILL.md:618
🔗
Medium External URL 外部 URL
https://x.com/someuser/status/123
SKILL.md:632
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/docx/NZHpd5xHxoTjYPxlVfpcaKtOnvh
SKILL.md:736
🔗
Medium External URL 外部 URL
https://x.com/lumoswhy/status/2030807300257300613
SKILL.md:740
🔗
Medium External URL 外部 URL
https://developer.volcengine.com/articles/7615547765435432996
SKILL.md:909
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/ZVCFwN7bci1uyhknLpucA18FnSe
SKILL.md:910
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/...?format=jpg&name=small
SKILL.md:931
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/$NODE_TOKEN
SKILL.md:985
🔗
Medium External URL 外部 URL
https://x.com/boniusex/status/2029596431250841754|E58awyhKHiaNWwkVdchcWr70njf|openclaw
data/archived_urls.txt:1
🔗
Medium External URL 外部 URL
https://note.mowen.cn/detail/sCcf75BwEV5ONYvR1es_P
evals/evals.json:6
🔗
Medium External URL 外部 URL
https://x.com/example/status/123456789
evals/evals.json:11
🔗
Medium External URL 外部 URL
https://mp.weixin.qq.com/s/xxxxx
evals/evals.json:16
🔗
Medium External URL 外部 URL
https://note.mowen.cn/detail/abc123
evals/evals.json:21
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@mixmark-io/domino/-/domino-2.2.0.tgz
package-lock.json:19
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/fsevents/-/fsevents-2.3.2.tgz
package-lock.json:25
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/playwright/-/playwright-1.58.2.tgz
package-lock.json:39
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/playwright-core/-/playwright-core-1.58.2.tgz
package-lock.json:57
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/turndown/-/turndown-7.2.2.tgz
package-lock.json:69
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/turndown-plugin-gfm/-/turndown-plugin-gfm-1.0.2.tgz
package-lock.json:78
🔗
Medium External URL 外部 URL
https://r.jina.ai/$
scripts/archive-article.js:68
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal
scripts/archive-long-article-v2.py:60
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/wiki/v2/spaces/
scripts/archive-long-article-v2.py:64
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/
scripts/archive-long-article-v2.py:179
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/wiki/v2/spaces/$
scripts/archive-long-article.js:136
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/$
scripts/archive-long-article.js:149
🔗
Medium External URL 外部 URL
https://qingzhao.feishu.cn/wiki/PS7lwR0vfiryRckijxBcFmXhnWd
scripts/config.sh:6
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/...)
scripts/html-to-markdown-v2.js:6
🔗
Medium External URL 外部 URL
https://pbs.twimg.com
scripts/html-to-markdown-v4.js:100
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/image1.jpg
scripts/test-contentblocks.js:23
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/image2.jpg
scripts/test-contentblocks.js:27
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/image3.jpg
scripts/test-contentblocks.js:35
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/image1.jpg?format=jpg&name=large
scripts/v6-modification-summary.md:64
🔗
Medium External URL 外部 URL
https://pbs.twimg.com/media/image2.jpg?format=jpg&name=large
scripts/v6-modification-summary.md:72
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/docx/v1/documents/
test_image_insert.py:22

File Tree

40 files · 174.1 KB · 5874 lines
JavaScript 17f · 2779L Markdown 3f · 1536L Python 7f · 836L Shell 8f · 585L JSON 3f · 136L Text 2f · 2L
├─ 📁 config
│ ├─ 🔧 feishu-locations.sh Shell 19L · 651 B
│ └─ 📄 twitter-cookies.txt Text 1L · 248 B
├─ 📁 data
│ └─ 📄 archived_urls.txt Text 1L · 154 B
├─ 📁 evals
│ └─ 📋 evals.json JSON 36L · 1.5 KB
├─ 📁 scripts
│ ├─ 📜 archive-article.js JavaScript 127L · 3.6 KB
│ ├─ 🔧 archive-example.sh Shell 94L · 2.4 KB
│ ├─ 🐍 archive-long-article-v2.py Python 234L · 7.8 KB
│ ├─ 📜 archive-long-article.js JavaScript 199L · 6.4 KB
│ ├─ 🐍 archive-long-article.py Python 193L · 6.8 KB
│ ├─ 🔧 archive-long-article.sh Shell 152L · 3.8 KB
│ ├─ 🐍 archive-simple.py Python 146L · 5.0 KB
│ ├─ 🔧 archive.sh Shell 73L · 1.5 KB
│ ├─ 🔧 check-duplicate.sh Shell 41L · 1.1 KB
│ ├─ 🔧 config.sh Shell 32L · 829 B
│ ├─ 📜 convert-v2-to-blocks.js JavaScript 71L · 1.6 KB
│ ├─ 📜 extract-article.js JavaScript 214L · 6.0 KB
│ ├─ 📜 fetch-twitter-article-formatted.js JavaScript 131L · 3.8 KB
│ ├─ 📜 fetch-twitter-article.js JavaScript 135L · 3.8 KB
│ ├─ 📜 html-to-markdown-final.js JavaScript 133L · 4.0 KB
│ ├─ 📜 html-to-markdown-fixed.js JavaScript 152L · 4.9 KB
│ ├─ 📜 html-to-markdown-turndown.js JavaScript 181L · 5.1 KB
│ ├─ 📜 html-to-markdown-v2.js JavaScript 199L · 6.0 KB
│ ├─ 📜 html-to-markdown-v3.js JavaScript 156L · 4.6 KB
│ ├─ 📜 html-to-markdown-v4.js JavaScript 241L · 6.6 KB
│ ├─ 📜 html-to-markdown-v5.js JavaScript 246L · 6.9 KB
│ ├─ 📜 html-to-markdown-v6.js JavaScript 238L · 7.7 KB
│ ├─ 📜 html-to-markdown.js JavaScript 133L · 4.0 KB
│ ├─ 🐍 prepare-segments.py Python 82L · 2.7 KB
│ ├─ 📜 test-contentblocks.js JavaScript 132L · 3.7 KB
│ ├─ 📜 test-image-extraction.js JavaScript 91L · 2.8 KB
│ ├─ 🐍 upload-image.py Python 52L · 1.6 KB
│ ├─ 🔧 upload-markdown-to-feishu.sh Shell 82L · 2.2 KB
│ ├─ 🔧 upload-to-feishu-batch.sh Shell 92L · 2.1 KB
│ ├─ 📝 v6-modification-summary.md Markdown 102L · 2.7 KB
│ └─ 🐍 write-to-doc.py Python 65L · 2.1 KB
├─ 📝 LESSONS.md Markdown 316L · 9.8 KB
├─ 📋 package-lock.json JSON 83L · 2.7 KB
├─ 📋 package.json JSON 17L · 346 B
├─ 📝 SKILL.md Markdown 1118L · 32.2 KB
└─ 🐍 test_image_insert.py Python 64L · 2.3 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
playwright ^1.58.2 npm No Trusted package, version loosely pinned
turndown ^7.2.2 npm No Trusted package for HTML to Markdown conversion
turndown-plugin-gfm ^1.0.2 npm No GFM extension for turndown

Security Positives

✓ No reverse shell or C2 communication detected
✓ No data exfiltration beyond intended article archiving
✓ No obfuscated code or base64-encoded malicious payloads
✓ No unauthorized access to SSH keys, AWS credentials, or .env files
✓ Code is readable and well-documented
✓ Uses legitimate dependencies (Playwright, turndown) from trusted sources
✓ Functionality aligns with documented purpose (article archiving)