reply-coach Security Report — Trusted | ClawSafe

5 /100

reply-coach

从剪贴板读取聊天内容，生成尊重边界、自然不油腻的高情商回复建议

Benign clipboard-reading skill with minimal attack surface and no malicious behavior detected.

Skill Namereply-coach

Duration20.5s

Enginepi

✓

Safe to install

No action required. This skill is safe for use.

Findings 1 items

Severity	Finding	Location
Low	Shell execution not explicitly declared Doc Mismatch SKILL.md runs 'node {baseDir}/scripts/reply_from_clipboard.mjs' but does not explicitly declare shell:WRITE permission. However, this is acceptable for script execution and the command is benign (only runs pbpaste). `node {baseDir}/scripts/reply_from_clipboard.mjs` → Consider documenting shell:WRITE permission in SKILL.md for transparency	`SKILL.md:14`

Resource	Declared	Inferred	Status	Evidence
Clipboard	`READ`	`READ`	✓ Aligned	scripts/reply_from_clipboard.mjs:9 - pbpaste command
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/reply_from_clipboard.mjs:6 - execSync for pbpaste
Filesystem	`NONE`	`NONE`	—	No filesystem access detected
Network	`NONE`	`NONE`	—	No network requests detected

4 files · 2.3 KB · 97 lines

Markdown 3f · 77L JavaScript 1f · 20L

├─ ▾ 📁 scripts

│ └─ 📜 reply_from_clipboard.mjs JavaScript 20L · 448 B

├─ 📝 CHANGELOG.md Markdown 8L · 211 B

├─ 📝 README.md Markdown 35L · 684 B

└─ 📝 SKILL.md Markdown 34L · 989 B

✓ No network requests or data exfiltration

✓ No credential harvesting or environment variable access

✓ No obfuscation or base64-encoded commands

✓ No sensitive file path access (~/.ssh, ~/.aws, .env)

✓ No external dependencies or supply chain risks

✓ Single-purpose tool with clear, documented functionality

✓ No remote script execution (curl|bash, wget|sh)

✓ Clear documentation with explicit 'not do' list