DevTaskFlow Security Report — Trusted | ClawSafe

5 /100

DevTaskFlow

AI驱动的开发流水线 — 用自然语言描述需求，AI帮你完成从分析到部署的全流程

DevTaskFlow is a legitimate AI-powered development pipeline tool with no malicious behavior. The pre-scan IP address flags are false positives from SVG path data fragments. All credential handling is for LLM API usage only, shell execution uses safe argument lists, and there is no obfuscation, exfiltration, or undeclared sensitive behavior.

Skill NameDevTaskFlow

Duration68.3s

Enginepi

✓

Safe to install

This skill is safe to use. No blocking issues found. Consider pinning dependency versions (requests, npm packages) for supply-chain hygiene.

Findings 2 items

Severity	Finding	Location
Info	Unpinned dependency versions Supply Chain Python's requests library and npm packages in board/ have unpinned versions. While not vulnerable, pinning versions reduces supply-chain risk. `requests library imported without version constraint` → Add version pins: requests>=2.31.0 in requirements.txt; pin board/package.json versions	`No requirements.txt or package.json pin file`
Info	Pre-scan false positive IPs correctly identified Doc Mismatch The pre-scan flagged '1.23.82.72', '2.2.82.64', etc. as hardcoded IPs in landing/index.html. These are false positives — the regex matched fragments of the GitHub SVG logo path data (e.g., 'M8 0C3.58 0 0 3.58') producing false IP patterns. No real C2 IPs are present. `<path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59..."` → No action needed. The pre-scan regex needs refinement to avoid matching SVG path data.	`landing/index.html:201:201`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares code generation and file write capabilities
Shell	`WRITE`	`WRITE`	✓ Aligned	deploy_adapter.py runs build/deploy commands via subprocess
Network	`READ`	`READ`	✓ Aligned	LLM API calls via requests library; board server on localhost
Environment	`READ`	`READ`	✓ Aligned	Reads DTFLOW_LLM_API_KEY etc. for LLM config; documented
Skill Invoke	`NONE`	`NONE`	—	No sub-skill invocation detected

5 High 85 findings

📡

High IP Address 硬编码 IP 地址

1.23.82.72

landing/index.html:201

📡

High IP Address 硬编码 IP 地址

2.2.82.64

landing/index.html:201

📡

High IP Address 硬编码 IP 地址

2.12.51.56

landing/index.html:201

📡

High IP Address 硬编码 IP 地址

3.95.29.25

landing/index.html:201

📡

High IP Address 硬编码 IP 地址

21.15.46.55

landing/index.html:201

🔗

Medium External URL 外部 URL

https://clawhub.com

README.md:116

🔗

Medium External URL 外部 URL

https://api.example.com/v1

SKILL.md:71

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/accepts/-/accepts-1.3.8.tgz

board/package-lock.json:16

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/array-flatten/-/array-flatten-1.1.1.tgz

board/package-lock.json:29

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/body-parser/-/body-parser-1.20.4.tgz

board/package-lock.json:35

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz

board/package-lock.json:59

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

board/package-lock.json:68

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bound/-/call-bound-1.0.4.tgz

board/package-lock.json:81

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/content-disposition/-/content-disposition-0.5.4.tgz

board/package-lock.json:97

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/content-type/-/content-type-1.0.5.tgz

board/package-lock.json:109

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cookie/-/cookie-0.7.2.tgz

board/package-lock.json:118

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cookie-signature/-/cookie-signature-1.0.7.tgz

board/package-lock.json:127

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/debug/-/debug-2.6.9.tgz

board/package-lock.json:133

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/depd/-/depd-2.0.0.tgz

board/package-lock.json:142

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/destroy/-/destroy-1.2.0.tgz

board/package-lock.json:151

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

board/package-lock.json:161

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ee-first/-/ee-first-1.1.1.tgz

board/package-lock.json:175

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/encodeurl/-/encodeurl-2.0.0.tgz

board/package-lock.json:181

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

board/package-lock.json:190

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

board/package-lock.json:199

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

board/package-lock.json:208

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/escape-html/-/escape-html-1.0.3.tgz

board/package-lock.json:220

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/etag/-/etag-1.8.1.tgz

board/package-lock.json:226

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/express/-/express-4.22.1.tgz

board/package-lock.json:235

🔗

Medium External URL 外部 URL

https://opencollective.com/express

board/package-lock.json:276

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/finalhandler/-/finalhandler-1.3.2.tgz

board/package-lock.json:281

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/forwarded/-/forwarded-0.2.0.tgz

board/package-lock.json:299

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fresh/-/fresh-0.5.2.tgz

board/package-lock.json:308

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

board/package-lock.json:317

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

board/package-lock.json:326

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

board/package-lock.json:350

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

board/package-lock.json:363

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

board/package-lock.json:375

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

board/package-lock.json:387

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/http-errors/-/http-errors-2.0.1.tgz

board/package-lock.json:399

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.4.24.tgz

board/package-lock.json:419

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz

board/package-lock.json:431

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz

board/package-lock.json:437

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

board/package-lock.json:446

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/media-typer/-/media-typer-0.3.0.tgz

board/package-lock.json:455

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/merge-descriptors/-/merge-descriptors-1.0.3.tgz

board/package-lock.json:464

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/methods/-/methods-1.1.2.tgz

board/package-lock.json:473

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime/-/mime-1.6.0.tgz

board/package-lock.json:482

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz

board/package-lock.json:494

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz

board/package-lock.json:503

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ms/-/ms-2.0.0.tgz

board/package-lock.json:515

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/negotiator/-/negotiator-0.6.3.tgz

board/package-lock.json:521

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/object-inspect/-/object-inspect-1.13.4.tgz

board/package-lock.json:530

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/on-finished/-/on-finished-2.4.1.tgz

board/package-lock.json:542

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/parseurl/-/parseurl-1.3.3.tgz

board/package-lock.json:554

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/path-to-regexp/-/path-to-regexp-0.1.12.tgz

board/package-lock.json:563

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-addr/-/proxy-addr-2.0.7.tgz

board/package-lock.json:569

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/qs/-/qs-6.14.2.tgz

board/package-lock.json:582

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/range-parser/-/range-parser-1.2.1.tgz

board/package-lock.json:597

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/raw-body/-/raw-body-2.5.3.tgz

board/package-lock.json:606

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/safe-buffer/-/safe-buffer-5.2.1.tgz

board/package-lock.json:621

🔗

Medium External URL 外部 URL

https://www.patreon.com/feross

board/package-lock.json:630

🔗

Medium External URL 外部 URL

https://feross.org/support

board/package-lock.json:634

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz

board/package-lock.json:641

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/send/-/send-0.19.2.tgz

board/package-lock.json:647

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz

board/package-lock.json:671

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/serve-static/-/serve-static-1.16.3.tgz

board/package-lock.json:677

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/setprototypeof/-/setprototypeof-1.2.0.tgz

board/package-lock.json:692

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel/-/side-channel-1.1.0.tgz

board/package-lock.json:698

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-list/-/side-channel-list-1.0.0.tgz

board/package-lock.json:717

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-map/-/side-channel-map-1.0.1.tgz

board/package-lock.json:733

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz

board/package-lock.json:751

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/statuses/-/statuses-2.0.2.tgz

board/package-lock.json:770

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/toidentifier/-/toidentifier-1.0.1.tgz

board/package-lock.json:779

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/type-is/-/type-is-1.6.18.tgz

board/package-lock.json:788

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/unpipe/-/unpipe-1.0.0.tgz

board/package-lock.json:801

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/utils-merge/-/utils-merge-1.0.1.tgz

board/package-lock.json:810

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/vary/-/vary-1.1.2.tgz

board/package-lock.json:819

🔗

Medium External URL 外部 URL

http://www.w3.org/2000/svg

landing/index.html:200

🔗

Medium External URL 外部 URL

https://clawhub.com/devtaskflow

landing/index.html:216

🔗

Medium External URL 外部 URL

http://0.0.0.0:

landing/serve.py:16

🔗

Medium External URL 外部 URL

https://docs.docker.com/get-docker/

lib/deploy_adapter.py:123

🔗

Medium External URL 外部 URL

https://api.xiaomi.com/v1

lib/setup_flow.py:36

🔗

Medium External URL 外部 URL

https://api.***.com/v1

lib/setup_flow.py:63

📧

Info Email 邮箱地址

[email protected]

lib/publish_flow.py:24

File Tree

64 files · 294.3 KB · 8130 lines

Python 46f · 5610L Markdown 12f · 1177L JSON 3f · 882L HTML 2f · 329L JavaScript 1f · 132L

├─ ▾ 📁 board

│ ├─ ▾ 📁 public

│ │ └─ 📄 index.html HTML 71L · 3.2 KB

│ ├─ 📋 package-lock.json JSON 827L · 28.9 KB

│ ├─ 📋 package.json JSON 11L · 180 B

│ └─ 📜 server.js JavaScript 132L · 4.4 KB

├─ ▾ 📁 docs

│ ├─ 📝 ARCHITECTURE.md Markdown 91L · 3.0 KB

│ └─ 📝 B2_IMPLEMENTATION_PLAN.md Markdown 56L · 1.7 KB

├─ ▾ 📁 example-project

│ ├─ ▾ 📁 versions

│ │ └─ ▾ 📁 v0.1.0

│ │ └─ ▾ 📁 docs

│ │ └─ 📝 REQUIREMENTS.md Markdown 16L · 488 B

│ └─ 📝 README.md Markdown 15L · 440 B

├─ ▾ 📁 landing

│ ├─ 📄 index.html HTML 258L · 7.9 KB

│ └─ 🐍 serve.py Python 17L · 518 B

├─ ▾ 📁 lib

│ ├─ ▾ 📁 orchestrators

│ │ ├─ 🐍 __init__.py Python 1L · 24 B

│ │ ├─ 🐍 base.py Python 6L · 181 B

│ │ ├─ 🐍 local_llm.py Python 225L · 7.6 KB

│ │ └─ 🐍 openclaw_subagent.py Python 316L · 10.8 KB

│ ├─ 🐍 analyze.py Python 85L · 3.1 KB

│ ├─ 🐍 auto_advance.py Python 453L · 18.2 KB

│ ├─ 🐍 cli.py Python 1006L · 38.1 KB

│ ├─ 🐍 config.py Python 40L · 1.1 KB

│ ├─ 🐍 contracts_analyze.py Python 11L · 332 B

│ ├─ 🐍 contracts_fix.py Python 13L · 412 B

│ ├─ 🐍 contracts_review.py Python 12L · 343 B

│ ├─ 🐍 contracts_write.py Python 12L · 350 B

│ ├─ 🐍 dashboard.py Python 168L · 7.6 KB

│ ├─ 🐍 deploy_adapter.py Python 200L · 7.4 KB

│ ├─ 🐍 doctor.py Python 29L · 1.2 KB

│ ├─ 🐍 error_handling.py Python 135L · 5.3 KB

│ ├─ 🐍 fix_flow.py Python 76L · 2.9 KB

│ ├─ 🐍 git_utils.py Python 102L · 3.4 KB

│ ├─ 🐍 human_summary.py Python 54L · 2.1 KB

│ ├─ 🐍 llm_risk.py Python 78L · 2.2 KB

│ ├─ 🐍 llm.py Python 65L · 2.2 KB

│ ├─ 🐍 openclaw_bridge.py Python 14L · 455 B

│ ├─ 🐍 openclaw_config.py Python 73L · 2.5 KB

│ ├─ 🐍 orchestrator.py Python 25L · 1008 B

│ ├─ 🐍 project_board.py Python 96L · 3.0 KB

│ ├─ 🐍 project_queries.py Python 43L · 1.3 KB

│ ├─ 🐍 project.py Python 43L · 1.5 KB

│ ├─ 🐍 prompt_loader.py Python 13L · 470 B

│ ├─ 🐍 publish_flow.py Python 196L · 7.0 KB

│ ├─ 🐍 release_flow.py Python 290L · 9.4 KB

│ ├─ 🐍 renderers.py Python 15L · 295 B

│ ├─ 🐍 requirement_guidance.py Python 142L · 5.1 KB

│ ├─ 🐍 result_parser.py Python 52L · 1.4 KB

│ ├─ 🐍 result_schema.py Python 135L · 4.6 KB

│ ├─ 🐍 review_flow.py Python 189L · 7.0 KB

│ ├─ 🐍 run_flow.py Python 180L · 6.4 KB

│ ├─ 🐍 scaffold.py Python 51L · 2.0 KB

│ ├─ 🐍 serve.py Python 23L · 770 B

│ ├─ 🐍 setup_flow.py Python 528L · 18.1 KB

│ ├─ 🐍 state.py Python 123L · 4.0 KB

│ ├─ 🐍 tasks.py Python 41L · 1.7 KB

│ ├─ 🐍 ux.py Python 38L · 1.7 KB

│ ├─ 🐍 version_flow.py Python 56L · 1.8 KB

│ ├─ 🐍 workspace_layout.py Python 28L · 827 B

│ └─ 🐍 write_flow.py Python 112L · 4.6 KB

├─ ▾ 📁 prompts

│ ├─ 📝 analyze_system.md Markdown 64L · 2.4 KB

│ ├─ 📝 comprehensive_review_system.md Markdown 34L · 2.3 KB

│ ├─ 📝 review_system.md Markdown 42L · 2.2 KB

│ ├─ 📝 STRUCTURED_OUTPUT_GUIDE.md Markdown 102L · 1.9 KB

│ └─ 📝 write_system.md Markdown 159L · 6.9 KB

├─ ▾ 📁 templates

│ └─ 🔑 config.json ⚠ JSON 44L · 863 B

├─ 📝 CHANGELOG.md Markdown 162L · 9.6 KB

├─ 📝 README.md Markdown 217L · 7.1 KB

└─ 📝 SKILL.md Markdown 219L · 8.9 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip	No	No requirements.txt found; requests version not pinned
`board npm packages`	`unpinned`	npm	No	board/package.json has dependencies but no package-lock.json pinned versions
`express`	`unpinned`	npm	No	Used in board/server.js

Security Positives

✓ No malicious code execution (no eval, exec, base64 decode, or shell=True subprocess)

✓ API keys are used exclusively for legitimate LLM API calls and not exfiltrated

✓ Shell commands use safe argument lists (subprocess with argument array, not shell=True)

✓ No C2 communication or data exfiltration detected

✓ No obfuscation techniques (no base64, atob, or encoded payloads)

✓ No credential harvesting beyond what's needed for LLM configuration

✓ Deploy adapter includes input validation for SSH host/user/path fields

✓ API keys are masked in board output (_mask_host function)

✓ Docker generation creates secure, minimal containers

✓ Documentation matches implementation behavior

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives