daily-sleep 安全扫描报告 — 可信 | ClawSafe

5 /100

daily-sleep

每日睡眠助手 — 晨间唤醒引导+睡眠质量回顾，晚间睡前放松程序+助眠技巧

Legitimate sleep assistant skill with no malicious behavior - uses filesystem only for user preferences, has proper path traversal protection, and outputs prompts to console.

技能名称daily-sleep

分析耗时26.8s

引擎pi

✓

可以安装

No action needed. This skill is safe to use.

安全发现 3 项

严重性	安全发现	位置
低危	Missing permission declarations SKILL.md does not explicitly declare filesystem READ/WRITE permissions for managing user preferences in data/users/ `No allowed-tools or permissions section present` → Add explicit permission declarations for filesystem:READ and filesystem:WRITE	`SKILL.md:1`
提示	Proper path traversal protection All scripts implement safeUserPath() with directory boundary validation `if(!r.startsWith(path.resolve(USERS_DIR)+path.sep))` → Good security practice - maintain this pattern	`scripts/push-toggle.js:9`
提示	Strict input validation UserId sanitized with regex /^[a-zA-Z0-9_-]{1,128}$/ and time format validated `function sanitizeId(v){if(typeof v!=='string'\|\|!/^[a-zA-Z0-9_-]{1,128}$/.test(v))` → Good security practice - maintain strict validation	`scripts/push-toggle.js:8`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	push-toggle.js:7,20-21
文件系统	`NONE`	`WRITE`	✓ 一致	push-toggle.js:28
网络访问	`NONE`	`NONE`	—	No network calls detected
命令执行	`NONE`	`NONE`	—	Node scripts execute locally, no shell commands executed
环境变量	`NONE`	`NONE`	—	No env access detected
数据库	`NONE`	`NONE`	—	No database access detected

1 项发现

🔗

中危外部 URL 外部 URL

https://openclaw.ai

README.md:5

目录结构

7 文件 · 10.0 KB · 210 行

Markdown 2f · 110L JavaScript 3f · 85L JSON 2f · 15L

├─ ▾ 📁 scripts

│ ├─ 📜 evening-push.js JavaScript 18L · 1.5 KB

│ ├─ 📜 morning-push.js JavaScript 18L · 1.5 KB

│ └─ 📜 push-toggle.js JavaScript 49L · 3.5 KB

├─ 📋 _meta.json JSON 7L · 137 B

├─ 📋 package.json JSON 8L · 153 B

├─ 📝 README.md Markdown 44L · 1.6 KB

└─ 📝 SKILL.md Markdown 66L · 1.6 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`fs (built-in)`	`N/A`	nodejs	否	Node.js built-in module
`path (built-in)`	`N/A`	nodejs	否	Node.js built-in module

安全亮点

✓ No network exfiltration or external IP connections

✓ No credential harvesting from environment variables

✓ No base64 encoded commands or obfuscated payloads

✓ No shell command injection vectors

✓ Proper path traversal protection with directory boundary checks

✓ Strict input validation for userId and time formats

✓ Whitelist approach for allowed channels (telegram, feishu, slack, discord)

✓ No remote script execution (curl|bash, wget|sh)

✓ Uses only Node.js built-in modules (fs, path) - no external dependencies with vulnerabilities

✓ User data stored locally in JSON format without sensitive information