cluster Security Report — Trusted | ClawSafe

5 /100

cluster

Data clustering analysis tool using k-means and hierarchical algorithms

A clean, well-documented data clustering tool using only Python standard library with no network access, credential harvesting, obfuscation, or hidden functionality.

Skill Namecluster

Duration29.7s

Enginepi

✓

Safe to install

No action needed. The skill performs exactly as documented with no security concerns.

Findings 1 items

Severity	Finding	Location
Low	Silent error swallowing in import command Doc Mismatch The import command uses bare except: to silently swallow JSONDecodeError and other exceptions, printing a generic success message even when no records are imported. `except: pass` → Use explicit exception types and report failures to the user.	`scripts/script.sh:373`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/script.sh:9-11 — writes to ~/.cluster/data.jsonl and ~/.cluster/config.j…
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/script.sh:1 — uses bash + embedded python3 heredocs
Network	`NONE`	`NONE`	—	No curl, wget, or HTTP calls found in 769-line script
Environment	`NONE`	`READ`	✓ Aligned	scripts/script.sh — reads INPUT, K, ALGORITHM, RUN_ID, FORMAT env vars; no sensi…
credential	`NONE`	`NONE`	—	No access to ~/.ssh, ~/.aws, .env, or API keys
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://bytesagain.com

SKILL.md:6

📧

Info Email 邮箱地址

[email protected]

SKILL.md:131

File Tree

2 files · 26.4 KB · 900 lines

Shell 1f · 769L Markdown 1f · 131L

├─ ▾ 📁 scripts

│ └─ 🔧 script.sh Shell 769L · 22.3 KB

└─ 📝 SKILL.md Markdown 131L · 4.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`python3`	`3.8+`	system	No	Standard library only, no pip packages required

Security Positives

✓ Uses only Python standard library — no external dependencies, no supply chain risk

✓ No network access — no C2 communication, data exfiltration, or remote code execution

✓ No credential access — does not read ~/.ssh, ~/.aws, .env, or environment API keys

✓ No obfuscation — all code is in plain text, no base64, eval(), or atob() usage

✓ No sensitive path access — only reads/writes to declared ~/.cluster/ directory

✓ SKILL.md accurately describes all functionality — no hidden behavior

✓ No reverse shell, C2, or data theft patterns detected

✓ Clean git history — no suspicious commits

✓ Source attribution present (BytesAgain, github.com/bytesagain/ai-skills)

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives