daily-reflect 安全扫描报告 — 可信 | ClawSafe

0 /100

daily-reflect

每日日记引导 — 每天提供一个深度日记主题，早间引导写作，晚间回顾反思

Daily journal prompt generator with solid input sanitization and no security issues - all file access is constrained to a safe user data directory with path traversal protection.

技能名称daily-reflect

分析耗时23.9s

引擎pi

✓

可以安装

Skill is safe to use. Consider documenting allowed-tools explicitly in SKILL.md for completeness.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Scripts only access data/users/ directory with path traversal protection
网络访问	`NONE`	`NONE`	—	No network calls observed in any script

1 项发现

🔗

中危外部 URL 外部 URL

https://openclaw.ai

README.md:5

目录结构

7 文件 · 10.0 KB · 204 行

Markdown 2f · 104L JavaScript 3f · 85L JSON 2f · 15L

├─ ▾ 📁 scripts

│ ├─ 📜 evening-push.js JavaScript 18L · 1.4 KB

│ ├─ 📜 morning-push.js JavaScript 18L · 1.5 KB

│ └─ 📜 push-toggle.js JavaScript 49L · 3.6 KB

├─ 📋 _meta.json JSON 7L · 139 B

├─ 📋 package.json JSON 8L · 167 B

├─ 📝 README.md Markdown 43L · 1.6 KB

└─ 📝 SKILL.md Markdown 61L · 1.6 KB

安全亮点

✓ Robust input sanitization: userId validated with regex /^[a-zA-Z0-9_-]{1,128}$/

✓ Path traversal protection: safeUserPath() ensures all file operations stay within data/users/ directory

✓ Time validation for cron expressions prevents malformed input

✓ Channel whitelist: ALLOWED_CH Set restricts to telegram/feishu/slack/discord only

✓ No shell execution or child_process usage

✓ No credential harvesting or environment variable access

✓ No network requests or external IP communications

✓ No eval(), atob(), or dynamic code execution