guoshun-inspection-logger 安全扫描报告 — 低风险 | ClawSafe

5 /100

guoshun-inspection-logger

施工日志/巡检记录AI生成器 — 将口头描述转换为江苏省建设工程标准化格式的Word巡检记录文档

This is a straightforward construction inspection log generator with no malicious behavior, minimal filesystem access, and clean code that matches its documentation.

技能名称guoshun-inspection-logger

分析耗时29.6s

引擎pi

✓

可以安装

No blocking action needed. The skill is a legitimate document generation tool. Consider pinning the python-docx dependency to a specific version for supply-chain hygiene.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned python-docx dependency 供应链 SKILL.md instructs 'pip install python-docx' without a version pin, allowing any version (including future compromised versions) to be installed. `pip install python-docx` → Pin to a specific version: pip install python-docx==1.1.2	`SKILL.md:66`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ,WRITE`	`READ,WRITE`	✓ 一致	scripts/gen_log.py:119 PROJECT_INFO_PATH, scripts/gen_log.py:127 open()
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell invocation found
网络访问	`NONE`	`NONE`	—	No urllib, requests, or socket calls found
环境变量	`NONE`	`READ`	✓ 一致	Path.home() indirectly accesses HOME; only used for config file path
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

目录结构

3 文件 · 34.9 KB · 1004 行

Python 1f · 811L Markdown 2f · 193L

├─ ▾ 📁 reference

│ └─ 📝 README.md Markdown 73L · 2.4 KB

├─ ▾ 📁 scripts

│ └─ 🐍 gen_log.py Python 811L · 29.3 KB

└─ 📝 SKILL.md Markdown 120L · 3.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`python-docx`	`unpinned`	pip	否	No version specified in SKILL.md; recommend pinning to a known stable version

安全亮点

✓ No shell execution (subprocess, os.system, eval) — clean command handling

✓ No credential theft — no access to ~/.ssh, ~/.aws, .env, or os.environ for sensitive keys

✓ No data exfiltration — no network requests, no outbound data transfer

✓ No obfuscation — all code is plain-text Python, no base64, no dynamic execution

✓ Documentation matches implementation — SKILL.md accurately describes gen_log.py behavior

✓ Filesystem writes are scoped to a single JSON project info file in a plugin-specific directory

✓ No hidden functionality — no HTML comments, no injected instructions, no privilege escalation

✓ Regex parsing is straightforward text processing with no dangerous patterns

✓ No persistence mechanisms — no cron jobs, startup scripts, or backdoor installation

✓ No suspicious imports — only standard library (json, os, re, sys, argparse, datetime, pathlib) and python-docx