中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:20 hr ago Rescan
20 /100
secretary-core
智能助理核心技能,支持20轮对话上下文、情感识别、主动提醒、日程管理,集成飞书/钉钉/企业微信
Benign AI assistant skill with clean code but notable doc-to-implementation mismatch - declares multi-platform integration features without corresponding implementation code.
Skill Namesecretary-core
Duration56.4s
Enginepi
Safe to install
The skill is safe for use but requires clarification on missing platform integration implementations before production deployment.

Findings 3 items

Severity Finding Location
Low
Multi-platform integration declared but not implemented Doc Mismatch
SKILL.md metadata requires FEISHU_BOT_TOKEN, DINGTALK_BOT_TOKEN, WECHAT_BOT_TOKEN and shows integration examples, but the Python code contains no platform integration modules, no API calls, and never reads environment variables.
requires: { api_keys: [FEISHU_BOT_TOKEN, DINGTALK_BOT_TOKEN, WECHAT_BOT_TOKEN] }
→ Either implement the declared platform integrations or remove the API key requirements from metadata
 SKILL.md:13
Low
File structure mismatch Doc Mismatch
SKILL.md documents a complete module structure (platform/, tests/, context_manager.py, emotion_detector.py, etc.) that does not exist in the repository.
├── platform/ │ ├── feishu.py │ ├── dingtalk.py │ └── wechat.py
→ Ensure documentation reflects actual file structure or implement missing modules
 SKILL.md:310
Low
Unpinned dependency version Supply Chain
requirements.txt specifies 'numpy>=1.20.0' without an upper bound, potentially allowing installation of versions with known vulnerabilities.
numpy>=1.20.0
→ Pin to a specific version range (e.g., numpy>=1.20.0,<1.26.0) to prevent automatic upgrade to vulnerable versions
 requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE All implementations use in-memory storage only; no file read/write operations
Network READ (API integrations) NONE ✗ Violation SKILL.md declares Feishu/DingTalk/WeChat integrations but no network requests ex…
Shell NONE NONE No subprocess, os.system, or shell command execution found
Environment READ (API tokens) NONE ✗ Violation SKILL.md requires FEISHU_BOT_TOKEN etc. but code never accesses os.environ or an…
Skill Invoke NONE NONE No cross-skill invocation patterns detected
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser automation detected
Database NONE NONE No database connections found
2 findings
🔗
Medium External URL 外部 URL
https://clawhub.com/skill/secretary-core
README.md:205
🔗
Medium External URL 外部 URL
https://secretary-core.readthedocs.io/
SKILL.md:414

File Tree

12 files · 83.6 KB · 2948 lines
Python 5f · 1566L Markdown 5f · 1373L JSON 1f · 8L Text 1f · 1L
├─ 📋 clawhub.json JSON 8L · 222 B
├─ 📝 CONTEXT_MANAGER.md Markdown 163L · 3.9 KB
├─ 📝 INTENT_UNDERSTANDING.md Markdown 156L · 3.4 KB
├─ 📝 README.md Markdown 210L · 6.0 KB
├─ 📝 RELEASE-v3.0.0.md Markdown 398L · 8.2 KB
├─ 📄 requirements.txt Text 1L · 14 B
├─ 🔑 secretary_efficiency_v1.py Python 292L · 10.1 KB
├─ 🔑 secretary_v1.5.py Python 140L · 4.4 KB
├─ 🔑 secretary_v2.1_adaptive.py Python 327L · 11.7 KB
├─ 🔑 secretary_v2.py Python 257L · 8.3 KB
├─ 🔑 secretary_v3.0.0.py Python 550L · 18.3 KB
└─ 📝 SKILL.md Markdown 446L · 9.2 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
numpy >=1.20.0 pip No Version not pinned; only dependency, minimal supply chain risk

Security Positives

✓ No shell execution, subprocess, or system command invocation detected
✓ No credential harvesting or environment variable reading for exfiltration
✓ No network requests to external IPs or C2 infrastructure
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No sensitive file path access (~/.ssh, ~/.aws, .env files)
✓ No reverse shell, C2 communication, or data exfiltration patterns
✓ No hidden functionality in HTML comments or disguised payloads
✓ Clean Python code with standard library usage (json, re, datetime, dataclasses, enum)
✓ All data processing is in-memory with no persistence or file writes
✓ No prompt injection or jailbreak instructions found