Scan Report
0 /100
Felo LiveDoc
Manage knowledge bases (LiveDocs) and their resources via Felo API
Felo LiveDoc is a clean knowledge base management skill with no security issues—uses only standard Node.js built-ins, authenticates to a single declared API endpoint, and requires only declared environment variables.
Safe to install
No action needed. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | scripts/run_livedoc.mjs:1 - Only reads files for upload operation, documented in… |
| Network | READ | READ | ✓ Aligned | scripts/run_livedoc.mjs:3 - Only contacts https://openapi.felo.ai |
| Shell | NONE | NONE | — | No shell execution found |
| Environment | READ | READ | ✓ Aligned | scripts/run_livedoc.mjs:1 - Reads FELO_API_KEY, declared in SKILL.md |
| Skill Invoke | NONE | NONE | — | No skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
1 High 2 findings
High API Key 疑似硬编码凭证
API_KEY="your-api-key-here" README.md:38 Medium External URL 外部 URL
https://openapi.felo.ai scripts/run_livedoc.mjs:6 File Tree
4 files · 23.9 KB · 636 lines JavaScript 1f · 391L
Markdown 2f · 233L
JSON 1f · 12L
├─
▾
scripts
│ └─
run_livedoc.mjs
JavaScript
├─
clawhub.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Uses only Node.js built-in modules (fs, path) - no external dependencies
✓ Single, hardcoded API endpoint (https://openapi.felo.ai) - no dynamic host resolution
✓ No obfuscation or suspicious encoding patterns
✓ Clean, readable source code with no hidden functionality
✓ API key is used only for authentication with the legitimate Felo API
✓ No credential harvesting or data exfiltration
✓ No file writes, only reads for the declared upload feature
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)