Compétences meituan-coupon Historique des audits
📦

Historique des audits

meituan-coupon - 2 audits

Version de l’audit 2

Dernier Risque faible

Apr 19, 2026, 08:17 AM

Static analysis flagged 424 potential issues, but evaluation reveals most are false positives. The markdown documentation files contain code examples (backtick patterns), not actual executions. Actual Python scripts use legitimate patterns: subprocess for platform detection, MD5 for non-cryptographic ID generation, and local credential storage following standard practices. The skill explicitly prohibits uploading user data to third parties and mandates token masking. Network calls target Meituan official APIs only. This is a legitimate coupon assistant with appropriate security controls.

11
Fichiers analysés
3,849
Lignes analysées
10
résultats
claude
Audité par

Problèmes à risque élevé (1)

multiple:1
Heuristic Combination Flag (False Positive)
Static analyzer flagged 'Code execution + Network + Credential access' combination as dangerous. Evaluation confirms this is FALSE POSITIVE: subprocess is used only for platform detection (which openclaw), network access is Meituan official APIs, and credentials are stored locally with explicit privacy rules.
Problèmes à risque moyen (2)
scripts/issue.py:39
MD5 Usage for Code Generation (Acceptable)
MD5 hash used in issue.py for generating redeem codes. This is non-cryptographic use (unique ID generation) for coupon tracking, not password hashing. Risk is acceptable.
SKILL.md:20-388references/auth-flow.md:15-128references/cron-rules.md:13-113
Markdown Documentation Code Examples
253 external_command detections in markdown files are code examples in documentation, NOT actual executions. These patterns in SKILL.md and references/*.md show shell syntax for educational purposes.
Problèmes à risque faible (2)
scripts/auth.py:90-181scripts/common.py:58
Local Credential Storage Pattern
Hidden files (.auth_token, .cookies, .cache) used for storing credentials locally. This is standard practice with explicit SKILL.md rules prohibiting third-party uploads.
scripts/auth.py:60-102scripts/auth.py:916-924
Environment Variable Access for Platform Detection
Environment variable access in auth.py for detecting Claude, Friday, ClawHub platforms. This is standard configuration detection, not credential exposure.

Facteurs de risque

⚙️ Commandes externes (3)
SKILL.md:41-52 references/auth-flow.md:15-128 scripts/auth.py:929-936
🌐 Accès réseau (2)
scripts/auth.py:51 references/auth-flow.md:11
📁 Accès au système de fichiers (2)
scripts/auth.py:90-181 scripts/common.py:58
🔑 Variables d’environnement (2)
scripts/auth.py:60-102 scripts/auth.py:916-924
⚡ Contient des scripts (3)
scripts/auth.py:1-1187 scripts/issue.py:1-207 scripts/query.py:1-197

Motifs détectés

subprocess.run for Platform DetectionPowerShell Invocation for Encoding Fix

Version de l’audit 1

Risque faible

Apr 19, 2026, 08:19 AM

Security audit completed. All 424 static findings evaluated as false positives or legitimate functionality. The skill implements proper security controls including local-only credential storage, no upload of sensitive user data, and clear privacy guidelines. Network access is limited to official Meituan API endpoints. No malicious patterns detected.

11
Fichiers analysés
3,849
Lignes analysées
6
résultats
claude
Audité par
Problèmes à risque faible (2)
scripts/issue.py:30-39
MD5 Hash Usage for Coupon Code Generation
MD5 is used to generate unique coupon redemption codes. This is for non-cryptographic purposes (creating unique identifiers), not for security. The algorithm choice is appropriate for this use case.
scripts/auth.py:100-107scripts/skill_cache_cli.py:86
Environment Variable Detection for Workspace Paths
The skill accesses environment variables to detect the correct workspace path for storing auth tokens. This is a standard pattern for cross-platform compatibility.

Facteurs de risque

⚡ Contient des scripts (2)
scripts/issue.py:20-25 scripts/query.py:21-25
🌐 Accès réseau (2)
scripts/auth.py:51 scripts/common.py:16
📁 Accès au système de fichiers (2)
scripts/auth.py:180-181 scripts/common.py:58
🔑 Variables d’environnement (2)
scripts/auth.py:60 scripts/common.py:36
← Retour au skill