guoshun-inspection-logger Security Report — Low Risk | ClawSafe

5 /100

guoshun-inspection-logger

施工日志/巡检记录AI生成器 — 将口头描述转换为江苏省建设工程标准化格式的Word巡检记录文档

This is a straightforward construction inspection log generator with no malicious behavior, minimal filesystem access, and clean code that matches its documentation.

Skill Nameguoshun-inspection-logger

Duration29.6s

Enginepi

✓

Safe to install

No blocking action needed. The skill is a legitimate document generation tool. Consider pinning the python-docx dependency to a specific version for supply-chain hygiene.

Findings 1 items

Severity	Finding	Location
Low	Unpinned python-docx dependency Supply Chain SKILL.md instructs 'pip install python-docx' without a version pin, allowing any version (including future compromised versions) to be installed. `pip install python-docx` → Pin to a specific version: pip install python-docx==1.1.2	`SKILL.md:66`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ,WRITE`	`READ,WRITE`	✓ Aligned	scripts/gen_log.py:119 PROJECT_INFO_PATH, scripts/gen_log.py:127 open()
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell invocation found
Network	`NONE`	`NONE`	—	No urllib, requests, or socket calls found
Environment	`NONE`	`READ`	✓ Aligned	Path.home() indirectly accesses HOME; only used for config file path
Skill Invoke	`NONE`	`NONE`	—	No skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

3 files · 34.9 KB · 1004 lines

Python 1f · 811L Markdown 2f · 193L

├─ ▾ 📁 reference

│ └─ 📝 README.md Markdown 73L · 2.4 KB

├─ ▾ 📁 scripts

│ └─ 🐍 gen_log.py Python 811L · 29.3 KB

└─ 📝 SKILL.md Markdown 120L · 3.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`python-docx`	`unpinned`	pip	No	No version specified in SKILL.md; recommend pinning to a known stable version

Security Positives

✓ No shell execution (subprocess, os.system, eval) — clean command handling

✓ No credential theft — no access to ~/.ssh, ~/.aws, .env, or os.environ for sensitive keys

✓ No data exfiltration — no network requests, no outbound data transfer

✓ No obfuscation — all code is plain-text Python, no base64, no dynamic execution

✓ Documentation matches implementation — SKILL.md accurately describes gen_log.py behavior

✓ Filesystem writes are scoped to a single JSON project info file in a plugin-specific directory

✓ No hidden functionality — no HTML comments, no injected instructions, no privilege escalation

✓ Regex parsing is straightforward text processing with no dangerous patterns

✓ No persistence mechanisms — no cron jobs, startup scripts, or backdoor installation

✓ No suspicious imports — only standard library (json, os, re, sys, argparse, datetime, pathlib) and python-docx

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives