daily-sleep Security Report — Trusted | ClawSafe

5 /100

daily-sleep

每日睡眠助手 — 晨间唤醒引导+睡眠质量回顾，晚间睡前放松程序+助眠技巧

Legitimate sleep assistant skill with no malicious behavior - uses filesystem only for user preferences, has proper path traversal protection, and outputs prompts to console.

Skill Namedaily-sleep

Duration26.8s

Enginepi

✓

Safe to install

No action needed. This skill is safe to use.

Findings 3 items

Severity	Finding	Location
Low	Missing permission declarations SKILL.md does not explicitly declare filesystem READ/WRITE permissions for managing user preferences in data/users/ `No allowed-tools or permissions section present` → Add explicit permission declarations for filesystem:READ and filesystem:WRITE	`SKILL.md:1`
Info	Proper path traversal protection All scripts implement safeUserPath() with directory boundary validation `if(!r.startsWith(path.resolve(USERS_DIR)+path.sep))` → Good security practice - maintain this pattern	`scripts/push-toggle.js:9`
Info	Strict input validation UserId sanitized with regex /^[a-zA-Z0-9_-]{1,128}$/ and time format validated `function sanitizeId(v){if(typeof v!=='string'\|\|!/^[a-zA-Z0-9_-]{1,128}$/.test(v))` → Good security practice - maintain strict validation	`scripts/push-toggle.js:8`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	push-toggle.js:7,20-21
Filesystem	`NONE`	`WRITE`	✓ Aligned	push-toggle.js:28
Network	`NONE`	`NONE`	—	No network calls detected
Shell	`NONE`	`NONE`	—	Node scripts execute locally, no shell commands executed
Environment	`NONE`	`NONE`	—	No env access detected
Database	`NONE`	`NONE`	—	No database access detected

1 findings

🔗

Medium External URL 外部 URL

https://openclaw.ai

README.md:5

File Tree

7 files · 10.0 KB · 210 lines

Markdown 2f · 110L JavaScript 3f · 85L JSON 2f · 15L

├─ ▾ 📁 scripts

│ ├─ 📜 evening-push.js JavaScript 18L · 1.5 KB

│ ├─ 📜 morning-push.js JavaScript 18L · 1.5 KB

│ └─ 📜 push-toggle.js JavaScript 49L · 3.5 KB

├─ 📋 _meta.json JSON 7L · 137 B

├─ 📋 package.json JSON 8L · 153 B

├─ 📝 README.md Markdown 44L · 1.6 KB

└─ 📝 SKILL.md Markdown 66L · 1.6 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`fs (built-in)`	`N/A`	nodejs	No	Node.js built-in module
`path (built-in)`	`N/A`	nodejs	No	Node.js built-in module

Security Positives

✓ No network exfiltration or external IP connections

✓ No credential harvesting from environment variables

✓ No base64 encoded commands or obfuscated payloads

✓ No shell command injection vectors

✓ Proper path traversal protection with directory boundary checks

✓ Strict input validation for userId and time formats

✓ Whitelist approach for allowed channels (telegram, feishu, slack, discord)

✓ No remote script execution (curl|bash, wget|sh)

✓ Uses only Node.js built-in modules (fs, path) - no external dependencies with vulnerabilities

✓ User data stored locally in JSON format without sensitive information

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives