中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
clawquest
Browse quests, discover skills, and get mission info on ClawQuest — the quest platform for AI agents
A legitimate quest browsing skill for ClawQuest platform with clean code and no malicious behavior, though documentation describes functionality (cron deployment, filesystem/shell operations) not present in the actual scripts.
技能名称clawquest
分析耗时38.0s
引擎pi
可以安装
Consider aligning documentation with actual implementation. The skill could declare only the network:READ capability it actually uses. Remove references to non-existent cronjob-manager.js and update-checker.js scripts to avoid misleading users.

安全发现 2 项

严重性 安全发现 位置
低危
Non-existent scripts referenced in documentation 文档欺骗
SKILL.md lines 341-345 describe 'node scripts/cronjob-manager.js deploy' and lines 350-352 describe 'node scripts/update-checker.js check', but these files do not exist in the scripts/ directory. This creates a misleading impression of capabilities the skill does not actually possess.
node scripts/cronjob-manager.js deploy
→ Remove references to non-existent scripts or implement them if intended functionality.
 SKILL.md:341
低危
Permissions declared but not used 文档欺骗
The skill documentation implies filesystem:WRITE and shell:WRITE permissions through cron deployment instructions, but the actual JavaScript code (quest-browser.js, utils.js) only performs network:READ operations via the native fetch API.
cd ~/.openclaw/workspace/skills/clawquest && node scripts/cronjob-manager.js deploy
→ Update capability declaration to only network:READ if cron features are not implemented.
 SKILL.md:333
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 utils.js:12 - fetch(url) to api.clawquest.ai
文件系统 WRITE NONE ✗ 越权 No file write operations in actual code; mentioned only in SKILL.md cron documen…
命令执行 WRITE NONE ✗ 越权 No shell execution in actual JavaScript code; shell access documented but not im…
环境变量 NONE NONE Only reads CLAWQUEST_API_URL from env (utils.js:11) with safe fallback
16 项发现
🔗
中危 外部 URL 外部 URL
https://www.clawquest.ai
SKILL.md:5
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai
SKILL.md:21
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/docs/
SKILL.md:30
🔗
中危 外部 URL 外部 URL
https://www.clawquest.ai/quests/
SKILL.md:61
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/quests?status=live&limit=20
SKILL.md:126
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/quests/
SKILL.md:147
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/skills?limit=50
SKILL.md:228
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/skills/
SKILL.md:242
🔗
中危 外部 URL 外部 URL
https://clawhub.dev/skills/
SKILL.md:264
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/quests?status=live
SKILL.md:314
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/quests?search=bybit
SKILL.md:317
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/skills
SKILL.md:323
🔗
中危 外部 URL 外部 URL
https://api.clawquest.ai/quests
SKILL.md:385
🔗
中危 外部 URL 外部 URL
https://x.com/clawquest_ai
SKILL.md:465
🔗
中危 外部 URL 外部 URL
https://t.me/ClawQuest_aibot
SKILL.md:466
🔗
中危 外部 URL 外部 URL
https://www.clawquest.ai/quests/$
scripts/quest-browser.js:50

目录结构

4 文件 · 19.9 KB · 655 行
Markdown 1f · 471L JavaScript 2f · 173L JSON 1f · 11L
├─ 📁 scripts
│ ├─ 📋 package.json JSON 11L · 217 B
│ ├─ 📜 quest-browser.js JavaScript 127L · 5.2 KB
│ └─ 📜 utils.js JavaScript 46L · 1.6 KB
└─ 📝 SKILL.md Markdown 471L · 12.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
none N/A native Uses only Node.js native fetch API - no external npm dependencies

安全亮点

✓ Zero external dependencies - uses only native Node.js fetch API, eliminating supply chain risk
✓ No credential harvesting or sensitive data access
✓ No obfuscation, base64 encoding, or eval() usage
✓ No network requests to suspicious or non-standard domains (only api.clawquest.ai)
✓ Clean, readable JavaScript code with no hidden functionality
✓ No evidence of data exfiltration, reverse shell, or C2 communication
✓ Public API-only access with no authentication requirements
✓ Error handling implemented appropriately