Receipt Logger 安全扫描报告 — 可疑 | ClawSafe

40 /100

Receipt Logger

Generate signed, append-only audit logs for agent actions. Solve the trust without vibes problem.

SKILL.md declares a 'receipt-logger' CLI tool with HMAC signing and append-only logging, but no implementation script exists in the file tree — only SKILL.md and config.json are present, constituting a severe documentation-to-code mismatch.

技能名称Receipt Logger

分析耗时37.7s

引擎pi

⚠

谨慎使用

Do not use this skill until the 'receipt-logger' implementation script is provided and verified. The documentation describes functional behavior (shell-based CLI with HMAC signing) that is entirely absent from the package.

安全发现 2 项

严重性	安全发现	位置
高危	Implementation script missing — documented functionality absent 文档欺骗 SKILL.md declares 'receipt-logger' as the main CLI entry point with full functionality (log, list, verify, export commands with HMAC signing), but the file tree contains only SKILL.md and config.json. No shell script, Python script, or any implementation file exists. This is a severe doc-to-code mismatch where the stated capabilities cannot be executed. `# Receipt Logger ... receipt-logger log --action "query_weather"` → Provide the 'receipt-logger' implementation script or remove the documentation claiming its existence. If this is a template/stub, it should be clearly labeled as non-functional.	`SKILL.md:1`
低危	Config.json marked as sensitive without justification 文档欺骗 Pre-scan metadata flags config.json as 'sensitive', but the file contains only standard skill metadata (name, slug, version, tags, license). No credentials, tokens, or secrets are present. Either the sensitivity flag is incorrect, or there is hidden content not visible in the scan. `{"name": "Receipt Logger", "slug": "receipt-logger", "version": "1.0.0", ...}` → Verify config.json contains no hidden or encoded data. If it only holds metadata, the sensitivity flag should be corrected.	`config.json:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No implementation code present to analyze filesystem access patterns
命令执行	`NONE`	`NONE`	—	SKILL.md references 'receipt-logger' as a shell CLI, but no shell script exists …
网络访问	`NONE`	`NONE`	—	No implementation code to analyze network behavior

目录结构

2 文件 · 2.2 KB · 76 行

Markdown 1f · 63L JSON 1f · 13L

├─ 🔑 config.json ⚠ JSON 13L · 410 B

└─ 📝 SKILL.md Markdown 63L · 1.8 KB

安全亮点

✓ No malicious code patterns found (base64, reverse shells, eval calls) — however, there is no code to analyze

✓ No credential harvesting attempts identified

✓ No data exfiltration infrastructure present

✓ No network communication patterns observed

✓ No obfuscation techniques detected

✓ config.json contains no actual secrets despite sensitivity flag