中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
github-growth-tracker
Track GitHub repo growth (stars, forks, issues, commits) with periodic digests and trend analysis
A straightforward GitHub repository growth tracker with no malicious behavior. All capabilities align with documentation; the only noted concern is plaintext token storage, which is explicitly disclosed in SKILL.md.
技能名称github-growth-tracker
分析耗时25.9s
引擎pi
可以安装
Skill is safe to use. If higher credential security is needed, always pass the GitHub token via the GITHUB_TOKEN environment variable instead of saving it to disk via --token.

安全发现 1 项

严重性 安全发现 位置
低危
GitHub token stored in plaintext on disk
The save_token() function writes the GitHub PAT to ~/.openclaw/credentials/github.json without encryption. SKILL.md acknowledges this with a warning recommending the GITHUB_TOKEN env var instead.
json.dump({"github_token": token}, f, indent=2)
→ No action required if GITHUB_TOKEN env var is used. This is a known limitation, clearly documented.
 scripts/github_tracker.py:65
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 scripts/github_tracker.py:65 — open(CREDENTIALS_PATH, 'w'), open(CONFIG_PATH, 'w…
网络访问 READ READ ✓ 一致 scripts/github_tracker.py:45 — urllib.request.urlopen to api.github.com only
环境变量 NONE READ ✓ 一致 scripts/github_tracker.py:57 — os.environ.get('GITHUB_TOKEN') for token resoluti…
命令执行 NONE NONE No subprocess, os.system, or shell execution found
技能调用 NONE NONE No nested skill invocation

目录结构

3 文件 · 20.3 KB · 601 行
Python 1f · 433L Markdown 2f · 168L
├─ 📁 references
│ └─ 📝 formatting.md Markdown 63L · 1.8 KB
├─ 📁 scripts
│ └─ 🐍 github_tracker.py Python 433L · 15.1 KB
└─ 📝 SKILL.md Markdown 105L · 3.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
stdlib-only N/A Python 3 standard library Uses only urllib.request, json, os, datetime, argparse — no external packages

安全亮点

✓ No subprocess, os.system, or shell command execution — only urllib for HTTP
✓ No external network requests outside api.github.com
✓ No base64, eval, or obfuscated code
✓ No credential exfiltration or data transmission to third-party endpoints
✓ No iteration over os.environ for sensitive key harvesting
✓ No access to ~/.ssh, ~/.aws, or other sensitive credential paths
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or steganographic payloads
✓ All functionality is fully declared in SKILL.md
✓ No dependencies beyond Python standard library (urllib, json, argparse, os, datetime)