SiYuan Note 安全扫描报告 — 低风险 | ClawSafe

15 /100

SiYuan Note

SiYuan Note API client for notebook, document and block management

Legitimate SiYuan Note API client with no malicious behavior detected. Uses only local API calls and standard Python libraries.

技能名称SiYuan Note

分析耗时36.2s

引擎pi

✓

可以安装

The skill is safe to use. Consider removing the undeclared Bash permission from SKILL.md as no shell execution was found in the codebase.

安全发现 1 项

严重性	安全发现	位置
低危	Undeclared Bash permission not used 文档欺骗 SKILL.md declares 'Bash→shell:WRITE' permission but no shell execution was found in the code. The skill uses only Python's urllib for HTTP requests. `requires: { bins: ["python3"] }` → Remove shell:WRITE from allowed-tools or document if Bash was intended for future use	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	siyuan_client.py:161-180 - Only connects to local SiYuan API at 127.0.0.1:6806
文件系统	`WRITE`	`WRITE`	✓ 一致	tools/export.py:91-98, tools/read.py:68-70 - Write operations only for user-requ…
命令执行	`WRITE`	`NONE`	✓ 一致	No subprocess, os.system, or shell execution found in entire codebase

12 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:6806

API.md:74

🔗

中危外部 URL 外部 URL

https://b3log.org/siyuan/

API.md:1469

🔗

中危外部 URL 外部 URL

https://b3log.org/siyuan

API.md:1521

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue

README.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.ai

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/python-3.8%2B-green

README.md:4

🔗

中危外部 URL 外部 URL

https://python.org

README.md:4

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/license-MIT-yellow

README.md:5

🔗

中危外部 URL 外部 URL

https://clawhub.ai/weiwei2027/siyuan

README.md:228

🔗

中危外部 URL 外部 URL

https://www.siyuan-note.club/apis

README.md:230

🔗

中危外部 URL 外部 URL

https://openclaw.ai

README.md:236

🔗

中危外部 URL 外部 URL

https://api.example.com/data

SKILL.md:335

目录结构

14 文件 · 124.2 KB · 4760 行

Markdown 4f · 2396L Python 9f · 2351L YAML 1f · 13L

├─ ▾ 📁 tools

│ ├─ 🐍 create.py Python 82L · 2.4 KB

│ ├─ 🐍 delete.py Python 141L · 4.3 KB

│ ├─ 🐍 export.py Python 223L · 7.2 KB

│ ├─ 🐍 list.py Python 114L · 3.7 KB

│ ├─ 🐍 move.py Python 124L · 4.3 KB

│ ├─ 🐍 read.py Python 104L · 3.0 KB

│ ├─ 🐍 search.py Python 129L · 4.1 KB

│ └─ 🐍 update.py Python 170L · 6.1 KB

├─ 📝 API.md Markdown 1583L · 31.2 KB

├─ 📝 CHANGELOG.md Markdown 45L · 1.3 KB

├─ 📋 config.example.yaml YAML 13L · 479 B

├─ 📝 README.md Markdown 236L · 4.8 KB

├─ 🐍 siyuan_client.py Python 1264L · 39.5 KB

└─ 📝 SKILL.md Markdown 532L · 11.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`pyyaml`	`not pinned`	pip	否	Standard YAML parser, no known vulnerabilities

安全亮点

✓ Uses only Python standard library (urllib, json, yaml, pathlib) - no external dependencies

✓ All network requests are local-only (127.0.0.1:6806) - SiYuan local API

✓ No credential harvesting or environment variable iteration

✓ No obfuscation techniques (base64, eval, etc.)

✓ No data exfiltration or C2 communication

✓ Clean, well-documented code with comprehensive error handling

✓ API token is user-provided and stored locally in config file

✓ SQL queries are documented and follow expected SiYuan API patterns

✓ No persistence mechanisms (cron, startup scripts) found

✓ All file operations are user-initiated exports