Skillv0.1.1

VirusTotal security

CleanApp Report Submission · External malware reputation and Code Insight signals for this exact artifact hash.

Scanner verdict

BenignApr 30, 2026, 3:46 AM

Hash: 95b79e00b74db8467ff81c3b92715dd877dbcc4785aa3606385a8f8e5f2fdba3
Source: palm
Verdict: benign
Code Insight: Package: cleanapp_ingest_v1 (xpi) Version: 1.0.1 Description: Bulk submit problem signals (bugs/incidents/feedback) to CleanApp via /v1/reports:bulkIngest (quarantine by default). The `cleanapp_ingest_v1` package is designed to submit problem signals to the CleanApp API. The analysis of the full source code reveals a well-structured and security-conscious implementation. Key security features include: 1. **Explicit Secret Handling**: The `CLEANAPP_API_TOKEN` is declared as a required secret and is retrieved exclusively from environment variables, preventing hardcoding and promoting secure secret management. 2. **Dry Run Mode**: Both the `ingest.py` Python script and the `submit_report.sh` shell helper script implement a `--dry-run` option, allowing users to inspect the exact JSON payload and target URL before any network requests are made. This provides transparency and a crucial security control. 3. **Controlled Network Communication**: The package uses standard Python `urllib.request` or `curl` for HTTPS communication. The target URL defaults to `https://live.cleanapp.io` but can be configured via an environment variable, which is a standard practice for API clients. The API key is sent securely as a Bearer token in the Authorization header. 4. **Data Handling Policies**: Options are provided to redact media metadata (`--no-media`) and to approximate or remove location data (`--approx-location`, `--no-location`), enhancing privacy and control over sensitive information. 5. **Idempotency Enforcement**: The `ingest.py` script validates that each item has a `source_id`, and `submit_report.sh` generates a unique `source_id` if not provided, supporting the CleanApp API's idempotency requirements to prevent duplicate submissions. 6. **Safe Command Execution**: Shell scripts use `set -euo pipefail` for robustness and employ Python for safe JSON payload construction and coordinate rounding, mitigating shell injection risks. No dynamic `eval` or remote script fetching is observed. 7. **Clear Documentation**: The `README.md`, `SKILL.md`, and `API_REFERENCE.md` files clearly outline the package's purpose, security goals, data handling, and the 'quarantine-first' nature of the CleanApp ingest system, which limits the blast radius of new or unverified data submissions. The package's functionality aligns with its stated purpose, and its design incorporates multiple layers of security best practices, making it benign.
External report: View on VirusTotal