日本雅虎拍卖估价
WarnAudited by ClawScan on May 10, 2026.
Overview
The estimator mostly matches its stated purpose, but its script builds a shell command from user/proxy input and can expose the proxy value.
Only use this skill with trusted auction IDs and a proxy value that does not contain secrets. Prefer waiting for a version that validates item IDs, avoids shell-string execution, and masks proxy configuration in output.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted auction ID or proxy value could cause the local shell to run commands other than curl when the agent invokes the estimator.
The script places a user-supplied auction ID and the PROXY_SOCKS5 environment value into a shell command instead of validating them or passing arguments safely.
const ids = process.argv.slice(2); ... const url = `https://auctions.yahoo.co.jp/jp/auction/${id}`; ... execSync(`curl -s --proxy ${PROXY} ... "${url}" 2>/dev/null`)Validate auction IDs to a strict expected pattern and replace execSync string execution with fetch or execFile/spawn using argument arrays.
If the proxy URL contains credentials, they may appear in agent output, logs, or chat history.
The script reads the proxy setting from an environment variable and prints it verbatim; SOCKS proxy URLs can contain usernames or passwords.
const PROXY = process.env.PROXY_SOCKS5 || 'socks5://127.0.0.1:1080'; ... console.log(`🌐 代理: ${PROXY}`);Mask proxy credentials before printing, or avoid printing the proxy value entirely.