lark-calendar-litiao 安全扫描报告 — 低风险 | ClawSafe

15 /100

lark-calendar-litiao

Create, update, and delete calendar events and tasks in Lark (Feishu)

Legitimate Lark calendar and task management skill with no malicious indicators; only accesses Lark API endpoints using documented credentials.

技能名称lark-calendar-litiao

分析耗时55.1s

引擎pi

✓

可以安装

Approve for use. Consider pinning dotenv to a specific version for better supply chain hygiene.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned dependency version 供应链 The dotenv dependency is specified with a caret range (^17.2.3) rather than a pinned version. This allows automatic minor/patch updates which could introduce unexpected behavior. `"dotenv": "^17.2.3"` → Pin to a specific version: "dotenv": "17.2.3"	`package.json:13`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	lib/lark-api.mjs:25 - fetch() calls to https://open.feishu.cn/open-apis
环境变量	`READ`	`READ`	✓ 一致	lib/lark-api.mjs:14-17 - loads FEISHU_APP_ID and FEISHU_APP_SECRET
文件系统	`NONE`	`READ`	✓ 一致	lib/lark-api.mjs:14 - config() reads .secrets.env file for credentials
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
技能调用	`NONE`	`NONE`	—	No skill_invoke usage detected
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser automation detected
数据库	`NONE`	`NONE`	—	No database access detected

8 项发现

🔗

中危外部 URL 外部 URL

https://open.larksuite.com/document/server-docs/calendar-v4/calendar-event/create

SKILL.md:211

🔗

中危外部 URL 外部 URL

https://open.larksuite.com/document/server-docs/calendar-v4/calendar-event-attendee/create

SKILL.md:212

🔗

中危外部 URL 外部 URL

https://open.larksuite.com/document/server-docs/task-v2/task/create

SKILL.md:213

🔗

中危外部 URL 外部 URL

https://open.larksuite.com/app/cli_a9f52a4ed7b8ded4/auth

SKILL.md:225

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis

lib/lark-api.mjs:24

🔗

中危外部 URL 外部 URL

https://dotenvx.com

package-lock.json:24

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:26

📧

提示邮箱邮箱地址

[email protected]

lib/calendar.mjs:9

目录结构

17 文件 · 55.7 KB · 1973 行

JavaScript 13f · 1692L Markdown 1f · 229L JSON 3f · 52L

├─ ▾ 📁 lib

│ ├─ 📜 calendar.mjs JavaScript 310L · 9.5 KB

│ ├─ 📜 employees.mjs JavaScript 241L · 7.3 KB

│ ├─ 📜 lark-api.mjs JavaScript 142L · 3.8 KB

│ └─ 📜 task.mjs JavaScript 187L · 4.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 create-event.mjs JavaScript 124L · 4.0 KB

│ ├─ 📜 create-task.mjs JavaScript 109L · 3.1 KB

│ ├─ 📜 delete-event.mjs JavaScript 59L · 1.4 KB

│ ├─ 📜 delete-task.mjs JavaScript 55L · 1.1 KB

│ ├─ 📜 list-events.mjs JavaScript 93L · 2.5 KB

│ ├─ 📜 manage-attendees.mjs JavaScript 109L · 3.3 KB

│ ├─ 📜 manage-task-members.mjs JavaScript 105L · 3.0 KB

│ ├─ 📜 update-event.mjs JavaScript 83L · 2.2 KB

│ └─ 📜 update-task.mjs JavaScript 75L · 1.8 KB

├─ 📋 _meta.json JSON 5L · 132 B

├─ 📋 package-lock.json JSON 28L · 678 B

├─ 📋 package.json JSON 19L · 337 B

└─ 📝 SKILL.md Markdown 229L · 6.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`dotenv`	`^17.2.3`	npm	否	Version not pinned, minor supply chain concern

安全亮点

✓ All network requests go exclusively to legitimate Lark API endpoints (open.feishu.cn)

✓ Credentials are used only for API authentication, never exfiltrated

✓ No shell execution, subprocess, or command injection vulnerabilities

✓ No obfuscation techniques (base64, eval, etc.) detected

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env file scanning)

✓ No hidden functionality - code matches documented behavior

✓ Clear documentation of all capabilities in SKILL.md

✓ No prompt injection or jailbreak attempts

✓ Employee data is used only for name-to-user_id resolution within the tool