design-norm-quantity 安全扫描报告 — 可信 | ClawSafe

5 /100

design-norm-quantity

度量衡测不准关键因子配比估量估价系统 v3.3 - Construction cost estimation with Monte Carlo simulation

Legitimate construction cost estimation system with no malicious behavior detected. All functionality is declared and serves legitimate engineering purposes.

技能名称design-norm-quantity

分析耗时46.7s

引擎pi

✓

可以安装

This skill is safe to use. The web crawling and PDF download capabilities are explicitly declared and serve the stated purpose of fetching official construction cost data and international QS standards.

安全发现 4 项

严重性	安全发现	位置
提示	Web Crawling Declared The crawler functionality for fetching official construction cost data from Chinese government websites is explicitly documented in SKILL.md `深圳市建设工程造价管理站, 广州市建设工程造价管理站, 苏州市工程造价协会` → No action needed - this is the intended functionality	`scripts/crawler.py:1`
提示	International Standards Download PDF downloads from RICS, Arcadis, HKIS and other legitimate industry bodies are documented `RICS New Rules of Measurement, Arcadis Cost Handbook` → No action needed - legitimate industry standards	`scripts/download_international_qs.py:33`
提示	Local Data Storage SQLite database created in ~/.workbuddy/data/ for storing cost indices - standard application data storage pattern `DEFAULT_DATA_DIR = os.path.join(os.path.expanduser('~'), '.workbuddy', 'data')` → No action needed - appropriate use of user home directory	`scripts/db_connector.py:34`
低危	HTTP URLs in Crawler Some government URLs use HTTP instead of HTTPS (common in China) `http://www.gzgzc.com.cn` → Consider using HTTPS where available for better security	`scripts/crawler.py`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares reference data access, code reads JSON files from references/ …
网络访问	`READ`	`READ`	✓ 一致	crawler.py and download_international_qs.py explicitly declared with URLs to gov…
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found in any script
环境变量	`NONE`	`NONE`	—	No os.environ access for credential harvesting
数据库	`READ`	`READ`	✓ 一致	db_connector.py creates local SQLite database in ~/.workbuddy/data/ for cost ind…

14 项发现

🔗

中危外部 URL 外部 URL

https://www.szjs.gov.cn

scripts/crawler.py:137

🔗

中危外部 URL 外部 URL

http://www.gzgzc.com.cn

scripts/crawler.py:150

🔗

中危外部 URL 外部 URL

http://szgczjxh.com

scripts/crawler.py:163

🔗

中危外部 URL 外部 URL

https://www.gldcost.com/

scripts/crawler.py:189

🔗

中危外部 URL 外部 URL

https://api.gldcost.com/v1/indicator

scripts/crawler.py:195

🔗

中危外部 URL 外部 URL

https://www.rics.org/content/dam/ricsglobal/documents/standards/nrm_1_order_of_cost_estimating_and_cost_planning_2nd_edi...

scripts/download_international_qs.py:33

🔗

中危外部 URL 外部 URL

https://www.rics.org/content/dam/ricsglobal/documents/standards/october_2021_nrm_2.pdf

scripts/download_international_qs.py:38

🔗

中危外部 URL 外部 URL

https://edshare.gcu.ac.uk/3948/2/PDF/NRM24~27.pdf

scripts/download_international_qs.py:43

🔗

中危外部 URL 外部 URL

https://www.rics.org/content/dam/ricsglobal/documents/standards/Cost-analysis-and-benchmarking_2nd-edition.pdf

scripts/download_international_qs.py:50

🔗

中危外部 URL 外部 URL

https://media.arcadis.com/-/media/project/arcadiscom/com/perspectives/asia/publications/cch/2025/2025-cnhk-cost-handbook...

scripts/download_international_qs.py:57

🔗

中危外部 URL 外部 URL

https://wwvv.hkis.org.hk/ufiles/QS-costplans2016.pdf

scripts/download_international_qs.py:64

🔗

中危外部 URL 外部 URL

https://dlsconsultant.com/wp-content/uploads/2024/02/DLS-Quarterly-Report-Q1-2023-20250509.pdf

scripts/download_international_qs.py:71

🔗

中危外部 URL 外部 URL

https://www.iqytechnicalcollege.com/quantitysurveyorspocketbook.pdf

scripts/download_international_qs.py:78

🔗

中危外部 URL 外部 URL

https://assets.thalia.media/doc/artikel/cfb/b63/cfbb6327f516071fbfc2bc715c9b854000f165f5.pdf

scripts/download_international_qs.py:85

目录结构

25 文件 · 455.5 KB · 10375 行

Python 16f · 7170L JSON 6f · 1651L Markdown 3f · 1554L

├─ ▾ 📁 references

│ ├─ 📋 building-norms.json JSON 106L · 3.8 KB

│ ├─ 📋 design-quantity-ratios.json JSON 148L · 8.1 KB

│ ├─ 📋 innovative-ratios-v2.json JSON 655L · 39.4 KB

│ ├─ 📋 material-factors-v3.json JSON 544L · 23.7 KB

│ ├─ 📋 mep-quantity-ratios.json JSON 108L · 6.0 KB

│ └─ 📋 region-adjustments.json JSON 90L · 5.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 crawler.py Python 348L · 11.7 KB

│ ├─ 🐍 data_calibrator.py Python 338L · 12.1 KB

│ ├─ 🐍 db_connector.py Python 598L · 24.2 KB

│ ├─ 🐍 download_international_qs.py Python 230L · 7.3 KB

│ ├─ 🐍 global_engineering_qs.py Python 803L · 27.9 KB

│ ├─ 🐍 interactive_demo.py Python 648L · 29.3 KB

│ ├─ 🐍 international_qs_methods.py Python 379L · 14.4 KB

│ ├─ 🐍 material_factor_engine.py Python 621L · 23.4 KB

│ ├─ 🐍 quantity_estimator_v2.py Python 1049L · 46.3 KB

│ ├─ 🐍 quantity_estimator.py Python 389L · 18.5 KB

│ ├─ 🐍 run_demo.py Python 232L · 7.7 KB

│ ├─ 🐍 test_calibrator.py Python 47L · 1.4 KB

│ ├─ 🐍 test_estimator_v2.py Python 36L · 928 B

│ ├─ 🐍 test_v32.py Python 64L · 1.9 KB

│ ├─ 🐍 uncertainty_calculator.py Python 493L · 20.3 KB

│ └─ 🐍 uncertainty_estimator.py Python 895L · 35.4 KB

├─ 📝 PROTOCOL.md Markdown 998L · 70.0 KB

├─ 📝 README.md Markdown 154L · 4.2 KB

└─ 📝 SKILL.md Markdown 402L · 12.6 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Standard HTTP library, version not pinned but no known vulnerabilities exploited
`sqlite3`	`builtin`	stdlib	否	Python standard library

安全亮点

✓ No base64 encoded payloads or obfuscated code

✓ No reverse shell, C2, or data exfiltration mechanisms

✓ No credential harvesting from environment variables

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No eval() or dynamic code execution

✓ No remote script execution (curl|bash, wget|sh)

✓ All network activity is explicitly documented in SKILL.md

✓ Uses standard, well-known libraries (requests, sqlite3)

✓ Legitimate engineering cost estimation functionality

✓ Industry-standard Monte Carlo simulation implementation