经期管理 / Period Tracker 安全扫描报告 — 低风险 | ClawSafe

15 /100

经期管理 / Period Tracker

女性健康周期追踪工具，支持经期记录、症状追踪、周期预测、排卵期管理、定时提醒、健康统计

A legitimate period tracking tool with minor documentation gaps regarding shell and network access, but no malicious behavior detected.

技能名称经期管理 / Period Tracker

分析耗时36.7s

引擎pi

✓

可以安装

Add explicit declarations for subprocess/crontab usage and clawhub network access in SKILL.md for improved transparency. No security action required.

安全发现 2 项

严重性	安全发现	位置
低危	Shell access via crontab not explicitly declared 文档欺骗 The skill uses subprocess to interact with crontab for reminder scheduling (setup_reminder.py:55-82), but SKILL.md only mentions '定时提醒' without explaining the cron-based implementation. `subprocess.run(["crontab", "-"], input=new_crontab, text=True)` → Add '系统依赖: cron/crontab' to SKILL.md technical information section	`scripts/setup_reminder.py:55`
低危	clawhub network access not documented 文档欺骗 The skill calls 'clawhub' CLI tool for version checking and updates (period_tracker.py:48, 406), which involves network requests. This is not declared in SKILL.md. `subprocess.run(["clawhub", "list"], capture_output=True, text=True, timeout=10)` → Add '依赖工具: clawhub CLI' to SKILL.md technical information section	`scripts/period_tracker.py:48`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md states local storage, code writes to ~/.openclaw/workspace/period_track…
网络访问	`NONE`	`READ`	✗ 越权	scripts/period_tracker.py:48 uses 'clawhub list' which performs network requests
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/period_tracker.py:387-391 and setup_reminder.py:55-82 use crontab for sc…
数据库	`NONE`	`NONE`	—	Uses JSON file storage, not a database

4 文件 · 47.9 KB · 1296 行

Python 2f · 1090L Markdown 2f · 206L

├─ ▾ 📁 references

│ └─ 📝 data-schema.md Markdown 75L · 1.9 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 period_tracker.py Python 841L · 32.5 KB

│ └─ 🐍 setup_reminder.py Python 249L · 9.1 KB

└─ 📝 SKILL.md Markdown 131L · 4.4 KB

包名	版本	来源	已知漏洞	备注
`Python 3 standard library only`	`N/A`	bundled	否	No external pip dependencies - all functionality uses standard library

✓ No credential harvesting or sensitive data theft

✓ No network requests made directly (only via clawhub CLI tool)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation or base64-encoded payloads

✓ No data exfiltration - all data stored locally

✓ No reverse shell or C2 communication

✓ Standard library only - no external dependencies with supply chain risk

✓ Open source health tracking application with legitimate purpose