中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
baikexia
蜗牛公司百科虾技能包,为员工解答公司相关问题
A legitimate company knowledge base Q&A skill for Walter company with proper documentation and only declared Feishu API integration.
技能名称baikexia
分析耗时38.9s
引擎pi
可以安装
No action required. The skill performs its documented function of syncing and searching a company knowledge base via Feishu API.

安全发现 1 项

严重性 安全发现 位置
低危
Hardcoded wiki configuration 敏感访问
Wiki token (WIKI_TOKEN) and space ID (SPACE_ID) are hardcoded in sync.js. While not highly sensitive, this is not a security risk but a maintainability concern.
const WIKI_TOKEN = 'VGRRw7s4BiStank4GnpczxnGn44';
→ Consider moving to openclaw.json configuration if rotation is needed.
 scripts/sync.js:40
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 cache/content.json creation in sync.js
网络访问 READ READ ✓ 一致 HTTPS requests to open.feishu.cn for API calls
命令执行 NONE NONE No subprocess or shell execution observed
环境变量 NONE READ ✓ 一致 OPENCLAW_AGENT_NAME env var read in send-message.js
2 项发现
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis
scripts/send-message.js:16
🔗
中危 外部 URL 外部 URL
https://campsnail.feishu.cn/wiki/$
scripts/sync.js:616

目录结构

5 文件 · 62.3 KB · 1806 行
JavaScript 3f · 1586L Markdown 1f · 215L JSON 1f · 5L
├─ 📁 scripts
│ ├─ 📜 search.js JavaScript 281L · 8.2 KB
│ ├─ 📜 send-message.js JavaScript 357L · 11.7 KB
│ └─ 📜 sync.js JavaScript 948L · 35.8 KB
├─ 📋 _meta.json JSON 5L · 134 B
└─ 📝 SKILL.md Markdown 215L · 6.4 KB

安全亮点

✓ No obfuscation techniques (base64, eval) detected
✓ No shell command execution (subprocess) observed
✓ No credential exfiltration - credentials only used for Feishu API authentication
✓ No network requests to unknown external IPs - only communicates with open.feishu.cn
✓ All functionality declared in SKILL.md documentation
✓ Clean codebase with no hidden functionality
✓ Uses Node.js native https module instead of curl/wget