cluster 安全扫描报告 — 可信 | ClawSafe

5 /100

cluster

Data clustering analysis tool using k-means and hierarchical algorithms

A clean, well-documented data clustering tool using only Python standard library with no network access, credential harvesting, obfuscation, or hidden functionality.

技能名称cluster

分析耗时29.7s

引擎pi

✓

可以安装

No action needed. The skill performs exactly as documented with no security concerns.

安全发现 1 项

严重性	安全发现	位置
低危	Silent error swallowing in import command 文档欺骗 The import command uses bare except: to silently swallow JSONDecodeError and other exceptions, printing a generic success message even when no records are imported. `except: pass` → Use explicit exception types and report failures to the user.	`scripts/script.sh:373`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	scripts/script.sh:9-11 — writes to ~/.cluster/data.jsonl and ~/.cluster/config.j…
命令执行	`WRITE`	`WRITE`	✓ 一致	scripts/script.sh:1 — uses bash + embedded python3 heredocs
网络访问	`NONE`	`NONE`	—	No curl, wget, or HTTP calls found in 769-line script
环境变量	`NONE`	`READ`	✓ 一致	scripts/script.sh — reads INPUT, K, ALGORITHM, RUN_ID, FORMAT env vars; no sensi…
凭证	`NONE`	`NONE`	—	No access to ~/.ssh, ~/.aws, .env, or API keys
技能调用	`NONE`	`NONE`	—	No skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://bytesagain.com

SKILL.md:6

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:131

目录结构

2 文件 · 26.4 KB · 900 行

Shell 1f · 769L Markdown 1f · 131L

├─ ▾ 📁 scripts

│ └─ 🔧 script.sh Shell 769L · 22.3 KB

└─ 📝 SKILL.md Markdown 131L · 4.2 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`python3`	`3.8+`	system	否	Standard library only, no pip packages required

安全亮点

✓ Uses only Python standard library — no external dependencies, no supply chain risk

✓ No network access — no C2 communication, data exfiltration, or remote code execution

✓ No credential access — does not read ~/.ssh, ~/.aws, .env, or environment API keys

✓ No obfuscation — all code is in plain text, no base64, eval(), or atob() usage

✓ No sensitive path access — only reads/writes to declared ~/.cluster/ directory

✓ SKILL.md accurately describes all functionality — no hidden behavior

✓ No reverse shell, C2, or data theft patterns detected

✓ Clean git history — no suspicious commits

✓ Source attribution present (BytesAgain, github.com/bytesagain/ai-skills)