calibre-metadata-apply 安全扫描报告 — 可信 | ClawSafe

5 /100

calibre-metadata-apply

Calibre metadata editor for title/authors/series/tags updates

Clean Calibre metadata management skill with proper credential handling and no malicious behavior detected.

技能名称calibre-metadata-apply

分析耗时31.6s

引擎pi

✓

可以安装

No action needed. The skill is safe for use.

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	scripts/calibredb_apply.mjs:56 spawnSync(cmd[0], cmd.slice(1), {...})
文件系统	`WRITE`	`WRITE`	✓ 一致	Local state writes to state/runs.json - declared in metadata
环境变量	`READ`	`READ`	✓ 一致	Reads CALIBRE_PASSWORD, CALIBRE_USERNAME from env - necessary for auth
网络访问	`READ`	`READ`	✓ 一致	HTTP calls only to configured Calibre Content Server URL
技能调用	`READ`	`READ`	✓ 一致	Uses subagent-spawn-command-builder for orchestration - declared

1 项发现

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8080/#MyLibrary

README.md:132

目录结构

5 文件 · 39.2 KB · 1099 行

JavaScript 3f · 689L Markdown 2f · 410L

├─ ▾ 📁 scripts

│ ├─ 📜 calibredb_apply.mjs JavaScript 524L · 17.7 KB

│ ├─ 📜 handle_completion.mjs JavaScript 61L · 1.9 KB

│ └─ 📜 run_state.mjs JavaScript 104L · 3.2 KB

├─ 📝 README.md Markdown 150L · 6.1 KB

└─ 📝 SKILL.md Markdown 260L · 10.3 KB

✓ No external dependencies (pure Node.js built-ins) - no supply chain risk

✓ Credential handling via --password-env avoids plaintext password exposure

✓ buildSafeEnv() properly isolates environment variables (only passes PATH, HOME, LANG, LC_ALL, LC_CTYPE, SYSTEMROOT, WINDIR)

✓ Command redaction in redactedCmd() masks passwords in logs

✓ Dry-run mode by default prevents accidental writes

✓ JSONL input validation with allowed field whitelist (ALLOWED set)

✓ No base64, no obfuscation, no suspicious patterns

✓ WSL/docker host discovery is standard network resilience pattern

✓ State file writes declared in SKILL.md metadata

✓ No access to sensitive paths (~/.ssh, ~/.aws, etc.)