Oathe Security Badge

Is lisniuse/taoguba-crawler-skill safe?

https://github.com/lisniuse/taoguba-crawler-skill

84
SAFE

This skill appears to be a legitimate web scraping tool for the Chinese finance website Taoguba (tgb.cn). While it contains executable Python code and accesses environment variables for authentication, the functionality is consistent with its stated purpose and poses moderate rather than severe security risks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

MEDIUM Environment file access -15

The Python scripts read .env files using python-dotenv to access COOKIE and USER_AGENT variables. While this appears to be legitimate functionality for web scraping authentication, it creates a pathway for accessing sensitive environment variables.

MEDIUM External data transmission -10

The scripts send cookie data from environment variables to external websites (tgb.cn) as part of HTTP requests. This could potentially transmit sensitive authentication tokens outside the local environment.

MEDIUM Executable Python code with network access -20

The skill contains substantial Python scripts (300+ lines each) that make HTTP requests, process HTML content, download images, and write files. While appearing legitimate for web scraping, this represents significant code execution surface area.

MEDIUM External content processing -10

The scripts download and process external HTML content and images from tgb.cn, which could potentially be manipulated by attackers controlling that domain to exploit parsing vulnerabilities.

LOW Standard git clone behavior -10

Installation monitoring shows normal git clone operations to GitHub with expected network connections and file system changes limited to the skill directory.