经期管理 / Period Tracker Security Report — Low Risk | ClawSafe

15 /100

经期管理 / Period Tracker

女性健康周期追踪工具，支持经期记录、症状追踪、周期预测、排卵期管理、定时提醒、健康统计

A legitimate period tracking tool with minor documentation gaps regarding shell and network access, but no malicious behavior detected.

Skill Name经期管理 / Period Tracker

Duration36.7s

Enginepi

✓

Safe to install

Add explicit declarations for subprocess/crontab usage and clawhub network access in SKILL.md for improved transparency. No security action required.

Findings 2 items

Severity	Finding	Location
Low	Shell access via crontab not explicitly declared Doc Mismatch The skill uses subprocess to interact with crontab for reminder scheduling (setup_reminder.py:55-82), but SKILL.md only mentions '定时提醒' without explaining the cron-based implementation. `subprocess.run(["crontab", "-"], input=new_crontab, text=True)` → Add '系统依赖: cron/crontab' to SKILL.md technical information section	`scripts/setup_reminder.py:55`
Low	clawhub network access not documented Doc Mismatch The skill calls 'clawhub' CLI tool for version checking and updates (period_tracker.py:48, 406), which involves network requests. This is not declared in SKILL.md. `subprocess.run(["clawhub", "list"], capture_output=True, text=True, timeout=10)` → Add '依赖工具: clawhub CLI' to SKILL.md technical information section	`scripts/period_tracker.py:48`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md states local storage, code writes to ~/.openclaw/workspace/period_track…
Network	`NONE`	`READ`	✗ Violation	scripts/period_tracker.py:48 uses 'clawhub list' which performs network requests
Shell	`NONE`	`WRITE`	✗ Violation	scripts/period_tracker.py:387-391 and setup_reminder.py:55-82 use crontab for sc…
Database	`NONE`	`NONE`	—	Uses JSON file storage, not a database

4 files · 47.9 KB · 1296 lines

Python 2f · 1090L Markdown 2f · 206L

├─ ▾ 📁 references

│ └─ 📝 data-schema.md Markdown 75L · 1.9 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 period_tracker.py Python 841L · 32.5 KB

│ └─ 🐍 setup_reminder.py Python 249L · 9.1 KB

└─ 📝 SKILL.md Markdown 131L · 4.4 KB

Package	Version	Source	Known Vulns	Notes
`Python 3 standard library only`	`N/A`	bundled	No	No external pip dependencies - all functionality uses standard library

✓ No credential harvesting or sensitive data theft

✓ No network requests made directly (only via clawhub CLI tool)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation or base64-encoded payloads

✓ No data exfiltration - all data stored locally

✓ No reverse shell or C2 communication

✓ Standard library only - no external dependencies with supply chain risk

✓ Open source health tracking application with legitimate purpose