fairygitmother 安全扫描报告 — 低风险 | ClawSafe

10 /100

fairygitmother

Experimental skill for distributed open source issue fixing via FairygitMother grid

FairygitMother is a documented grid-computing skill that connects to an external API to receive, solve, and submit GitHub issue fixes. All declared capabilities match actual usage with no hidden functionality.

技能名称fairygitmother

分析耗时35.0s

引擎pi

✓

可以安装

Approve for use. The skill's external API calls and code submission mechanism are fully documented in SKILL.md. Verify the fairygitmother.ai endpoint is trusted before deployment.

安全发现 2 项

严重性	安全发现	位置
低危	External API dependency 文档欺骗 The skill connects to fairygitmother.ai for grid coordination. Code diffs are submitted to an external service. This is documented but creates dependency on external infrastructure. `https://fairygitmother.ai` → Verify the external service is trusted and has appropriate security practices before deployment	`SKILL.md:9`
低危	Workspace dependency references 供应链 package.json references workspace dependencies (@fairygitmother/core, @fairygitmother/node) which are not present in the skill directory. `"@fairygitmother/core": "workspace:*"` → Ensure workspace dependencies are available during installation or pin to specific versions	`package.json:13`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ,WRITE`	`READ,WRITE`	✓ 一致	SKILL.md lines 19-34: reads/writes patrol-state.json and credentials.json
网络访问	`READ`	`READ`	✓ 一致	SKILL.md lines 52-71: curl to fairygitmother.ai API
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md lines 52-207: curl commands throughout
环境变量	`READ`	`READ`	✓ 一致	SKILL.md line 9: requires GITHUB_TOKEN
技能调用	`NONE`	`NONE`	—	No skill_invoke usage found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser access found
数据库	`NONE`	`NONE`	—	No database access found

6 项发现

🔗

中危外部 URL 外部 URL

https://fairygitmother.ai

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://fairygitmother.ai/api/v1/nodes/register

SKILL.md:52

🔗

中危外部 URL 外部 URL

https://fairygitmother.ai/api/v1/nodes/$

SKILL.md:69

🔗

中危外部 URL 外部 URL

https://fairygitmother.ai/api/v1/bounties/$

SKILL.md:207

🔗

中危外部 URL 外部 URL

https://fairygitmother.ai/api/v1/reviews/$

SKILL.md:280

🔗

中危外部 URL 外部 URL

https://fairygitmother.ai/api/v1/bounties

actions/fairygitmother.yml:41

目录结构

8 文件 · 15.3 KB · 483 行

Markdown 1f · 324L YAML 1f · 67L TypeScript 3f · 39L JSON 2f · 32L JavaScript 1f · 21L

├─ ▾ 📁 actions

│ └─ 📋 fairygitmother.yml YAML 67L · 2.2 KB

├─ ▾ 📁 dist

│ ├─ 📜 index.d.ts TypeScript 1L · 213 B

│ └─ 📜 index.js JavaScript 21L · 419 B

├─ ▾ 📁 src

│ ├─ 📜 hooks.ts TypeScript 14L · 478 B

│ └─ 📜 index.ts TypeScript 24L · 701 B

├─ 📋 package.json JSON 23L · 451 B

├─ 📝 SKILL.md Markdown 324L · 10.7 KB

└─ 📋 tsconfig.json JSON 9L · 150 B

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`@fairygitmother/core`	`workspace:*`	npm	否	Workspace dependency - verify source
`@fairygitmother/node`	`workspace:*`	npm	否	Workspace dependency - verify source
`tsup`	`^8.3.0`	npm	否	Dev dependency, version pinned
`typescript`	`^5.7.0`	npm	否	Dev dependency, version pinned

安全亮点

✓ All declared capabilities match actual implementation

✓ No hardcoded malicious patterns (base64, reverse shell, eval)

✓ No sensitive file path access (~/.ssh, ~/.aws)

✓ No credential harvesting beyond GITHUB_TOKEN which is declared

✓ Safety rules explicitly prohibit dangerous practices (eval, exec, child_process in diffs)

✓ Code review process requires security checks for submissions

✓ No hidden functionality found - all behavior is documented in SKILL.md