中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:2 天前 重新扫描
15 /100
quint-memory
Quint Memory Guard - portable context layer for AI agents that preserves memory across sessions
A legitimate context memory skill with declared external API connectivity and standard credential storage patterns. Minor documentation gaps around credential paths do not constitute security violations.
技能名称quint-memory
分析耗时32.4s
引擎pi
可以安装
Consider documenting credential storage paths (~/.quint, ~/.openclaw/quint.json) in SKILL.md for transparency. Otherwise safe to use.

安全发现 2 项

严重性 安全发现 位置
低危
Undocumented credential storage
SKILL.md does not mention that credentials are stored in ~/.quint or ~/.openclaw/quint.json. This is standard practice but should be documented.
No mention of credential storage paths
→ Add 'What Quint Stores' section documenting ~/.quint for tokens and ~/.openclaw/quint.json for device credentials
 SKILL.md:1
低危
Setup script not referenced in documentation
SKILL.md describes the setup flow but does not mention the setup.sh script or its execution. Users are expected to run 'openclaw quint pair' not setup.sh directly.
Walk your user through this step by step
→ Consider documenting that setup.sh handles MCP server registration
 SKILL.md:71
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 handler.ts:31 reads ~/.openclaw/quint.json for device credentials
网络访问 NONE WRITE ✓ 一致 setup.sh:71, handler.ts:40 POST to api.getquint.ai - documented purpose but not …
命令执行 NONE WRITE ✓ 一致 setup.sh:85 uses claude mcp add for legitimate MCP server registration
6 项发现
🔗
中危 外部 URL 外部 URL
https://getquint.ai
README.md:3
🔗
中危 外部 URL 外部 URL
https://getquint.ai/signup
README.md:13
🔗
中危 外部 URL 外部 URL
https://api.getquint.ai/mcp
README.md:24
🔗
中危 外部 URL 外部 URL
https://relay.getquint.ai/v1/relay/status/[device_id
SKILL.md:84
🔗
中危 外部 URL 外部 URL
https://api.getquint.ai
SKILL.md:127
🔗
中危 外部 URL 外部 URL
https://nodejs.org
setup.sh:14

目录结构

4 文件 · 16.6 KB · 448 行
Markdown 2f · 235L Shell 1f · 108L TypeScript 1f · 105L
├─ 📜 handler.ts TypeScript 105L · 3.0 KB
├─ 📝 README.md Markdown 37L · 1.0 KB
├─ 🔧 setup.sh Shell 108L · 3.9 KB
└─ 📝 SKILL.md Markdown 198L · 8.8 KB

安全亮点

✓ Uses environment variable QUINT_TOKEN and QUINT_PRINCIPAL_TOKEN instead of hardcoding credentials
✓ No credential exfiltration - tokens used only for authenticated API calls to declared endpoints
✓ Standard file permissions (chmod 600) applied to credential storage
✓ No base64-encoded payloads or obfuscated code
✓ External URLs all reference documented getquint.ai domain
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ Setup script provides proper error handling and user consent prompts
✓ Validates tokens against API before saving