contractor-marketing-cowork 安全扫描报告 — 可信 | ClawSafe

5 /100

contractor-marketing-cowork

AI marketing department for contractors and home service businesses. 12 slash commands + 6 background skills for SEO, ads, social media, proposals, job costing, competitor audits, and more.

Pure documentation-based marketing skill with no executable code, no sensitive file access, and a publicly-documented Supabase anon key used for strategy lookups.

技能名称contractor-marketing-cowork

分析耗时28.9s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as documented.

安全发现 1 项

严重性	安全发现	位置
低危	Supabase anon API key embedded in documentation 文档欺骗 SKILL.md line 43 contains a JWT-format Supabase API key in the Strategy Library curl example. This is an anon (public) key intended for client-side use and carries no elevated privileges. While not a security risk, embedding it in docs is poor practice. `apikey=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...` → Consider removing the API key from documentation and guiding users to provide their own key or use a server-side proxy.	`SKILL.md:43`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file I/O operations found; all content is markdown text
网络访问	`NONE`	`NONE`	—	No network calls in code; curl example is documented API usage, not executed
命令执行	`NONE`	`NONE`	—	No bash/shell commands, scripts, or subprocess calls found
环境变量	`NONE`	`NONE`	—	No os.environ or environment variable access found
剪贴板	`NONE`	`NONE`	—	Not referenced in any file
浏览器	`READ`	`READ`	✓ 一致	CONNECTORS.md documents browser use for GBP/Meta/Google Ads — clearly declared
数据库	`NONE`	`NONE`	—	No direct DB access; Supabase REST call is documented API usage

3 项发现

🔗

中危外部 URL 外部 URL

https://heavymetric.com/strategies

README.md:37

🔗

中危外部 URL 外部 URL

https://heavymetric.com

README.md:95

🔗

中危外部 URL 外部 URL

https://dmlybcnpwtnaadmapdhl.supabase.co/rest/v1/strategies?or=(title.ilike.*QUERY*

SKILL.md:43

目录结构

21 文件 · 38.6 KB · 928 行

Markdown 21f · 928L

├─ ▾ 📁 commands

│ ├─ 📝 ad-creative.md Markdown 44L · 1.7 KB

│ ├─ 📝 competitor-audit.md Markdown 54L · 1.6 KB

│ ├─ 📝 content-calendar.md Markdown 49L · 1.8 KB

│ ├─ 📝 email-sequence.md Markdown 46L · 1.8 KB

│ ├─ 📝 gbp-post.md Markdown 35L · 1.3 KB

│ ├─ 📝 job-cost.md Markdown 52L · 1.6 KB

│ ├─ 📝 lead-followup.md Markdown 43L · 1.5 KB

│ ├─ 📝 onboard.md Markdown 49L · 2.1 KB

│ ├─ 📝 proposal.md Markdown 54L · 1.9 KB

│ ├─ 📝 review-response.md Markdown 48L · 1.5 KB

│ ├─ 📝 social-batch.md Markdown 45L · 1.6 KB

│ └─ 📝 weekly-report.md Markdown 44L · 1.8 KB

├─ ▾ 📁 skills

│ ├─ ▾ 📁 contractor-ads

│ │ └─ 📝 SKILL.md Markdown 37L · 1.8 KB

│ ├─ ▾ 📁 contractor-email

│ │ └─ 📝 SKILL.md Markdown 27L · 1.6 KB

│ ├─ ▾ 📁 contractor-operations

│ │ └─ 📝 SKILL.md Markdown 31L · 1.6 KB

│ ├─ ▾ 📁 contractor-positioning

│ │ └─ 📝 SKILL.md Markdown 35L · 1.7 KB

│ ├─ ▾ 📁 contractor-seo

│ │ └─ 📝 SKILL.md Markdown 28L · 1.8 KB

│ └─ ▾ 📁 contractor-social

│ └─ 📝 SKILL.md Markdown 34L · 1.6 KB

├─ 📝 CONNECTORS.md Markdown 22L · 1.2 KB

├─ 📝 README.md Markdown 97L · 4.2 KB

└─ 📝 SKILL.md Markdown 54L · 2.9 KB

安全亮点

✓ No executable code — pure Markdown documentation only

✓ No scripts, shell commands, or subprocess calls

✓ No environment variable or credential access

✓ No sensitive file paths accessed (~/.ssh, ~/.aws, .env)

✓ No base64-encoded or obfuscated content

✓ No credential harvesting or data exfiltration

✓ All external capabilities (browser automation) clearly documented in CONNECTORS.md

✓ No supply chain risks — no dependencies, no package files