中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
paper-summarize-pdf-to-feishu
Multi-agent orchestration skill for summarizing academic PDFs into Feishu (Lark) documents with figure extraction and hallucination-prevention review
A legitimate multi-agent PDF-to-Feishu paper summarization skill with no malicious indicators — all shell execution is declared, documented, and limited to standard PDF processing tooling.
技能名称paper-summarize-pdf-to-feishu
分析耗时33.9s
引擎pi
可以安装
No action required. This skill performs standard PDF processing (pdftotext, pdfimages, pdfinfo, tesseract, jq) for academic paper summarization, all of which is clearly declared in SKILL.md.

安全发现 1 项

严重性 安全发现 位置
低危
sudo apt-get install in SKILL.md
SKILL.md instructs to run `sudo apt-get install` for dependency installation. This is a standard setup requirement for a PDF processing skill and is clearly documented.
sudo apt-get install -y poppler-utils
→ This is legitimate setup documentation, not a risk. No action needed.
 SKILL.md:57
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 All file operations are read-only on PDFs, text, and logs within a scoped $PAPER…
命令执行 WRITE WRITE ✓ 一致 5 shell scripts (extract_metadata.sh, extract_pdf_text.sh, check_duplicate.sh, l…
网络访问 READ READ ✓ 一致 feishu.cn API calls and doi.org reference links — declared for document creation…
环境变量 NONE READ ✓ 一致 Reads $PAPER_DIR, $PAPERS_DIR, $DOC_TOKEN from openclaw.json config — no credent…
技能调用 NONE WRITE ✓ 一致 Invokes feishu_doc, sessions_spawn, subagents tools — all declared in SKILL.md
剪贴板 NONE NONE No clipboard access observed
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
3 项发现
🔗
中危 外部 URL 外部 URL
https://feishu.cn/docx/
SKILL.md:531
🔗
中危 外部 URL 外部 URL
https://doi.org/
references/summary_template.md:143
🔗
中危 外部 URL 外部 URL
https://feishu.cn/docx/$existing_token
scripts/check_duplicate.sh:55

目录结构

7 文件 · 63.5 KB · 2109 行
Markdown 2f · 1562L Shell 5f · 547L
├─ 📁 references
│ └─ 📝 summary_template.md Markdown 218L · 4.1 KB
├─ 📁 scripts
│ ├─ 🔧 check_duplicate.sh Shell 155L · 5.4 KB
│ ├─ 🔧 extract_metadata.sh Shell 98L · 2.9 KB
│ ├─ 🔧 extract_pdf_text.sh Shell 56L · 1.4 KB
│ ├─ 🔧 locate_figures.sh Shell 144L · 4.6 KB
│ └─ 🔧 merge_supplement.sh Shell 94L · 2.6 KB
└─ 📝 SKILL.md Markdown 1344L · 42.5 KB

依赖分析 3 项

包名版本来源已知漏洞备注
poppler-utils system package apt Standard PDF processing toolkit (pdftotext, pdfinfo, pdfimages, pdftoppm)
tesseract-ocr system package apt OCR engine for image-to-text extraction
jq system package apt JSON processor for metadata parsing

安全亮点

✓ All shell script execution is explicitly declared in SKILL.md with clear purpose (PDF/text extraction, metadata, figures, deduplication)
✓ No credential harvesting — reads only public DOI data and config files
✓ No base64, eval, or obfuscated code patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, ~/.netrc)
✓ No external IP addresses or C2 infrastructure
✓ No curl|bash or wget|sh remote script execution
✓ Working directory scoped to $PAPER_DIR — no broad filesystem access
✓ No data exfiltration or unauthorized data transmission
✓ Multi-agent architecture with sub-agent cleanup is well-designed
✓ Dependencies (poppler-utils, tesseract-ocr, jq) are standard CLI tools, version-pinning not critical for security