daily-backup 安全扫描报告 — 低风险 | ClawSafe

25 /100

daily-backup

每日 Git 备份。提交工作区所有变更，记录变更摘要。触发时机：cron 定时任务或手动调用。

Documentation-only skill with declared-permission mismatch but no actual executable code or scripts present to evaluate for malicious behavior.

技能名称daily-backup

分析耗时35.6s

引擎pi

✓

可以安装

Add missing permission declarations in SKILL.md YAML frontmatter for filesystem:READ (spec reading), filesystem:WRITE (report generation), shell:WRITE (script execution), and network:WRITE (Feishu API). Create actual scripts/auto-backup.sh with documented, pinned git operations.

安全发现 2 项

严重性	安全发现	位置
低危	Undeclared permission requirements 文档欺骗 SKILL.md YAML frontmatter declares 'allowed-tools: NONE' but the documented behavior requires filesystem:READ, filesystem:WRITE, shell:WRITE, and network:WRITE to function as described. `allowed-tools: NONE` → Declare required permissions in YAML frontmatter matching the documented workflow.	`SKILL.md:1`
低危	Referenced script does not exist 文档欺骗 The skill references scripts/auto-backup.sh for core functionality but no such file exists in the package. Without the actual implementation, the true behavior cannot be audited. 运行 `scripts/auto-backup.sh` → Include the actual backup script implementation for security review.	`references/spec.md:6`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✗ 越权	SKILL.md:8 - reads references/spec.md
文件系统	`NONE`	`WRITE`	✗ 越权	SKILL.md:17 - writes data/exec-logs/daily-backup/ reports
命令执行	`NONE`	`WRITE`	✗ 越权	references/spec.md:6 - runs scripts/auto-backup.sh
网络访问	`NONE`	`WRITE`	✗ 越权	SKILL.md:14 - sends reports to Feishu

目录结构

2 文件 · 1.7 KB · 78 行

Markdown 2f · 78L

├─ ▾ 📁 references

│ └─ 📝 spec.md Markdown 42L · 764 B

└─ 📝 SKILL.md Markdown 36L · 955 B

安全亮点

✓ No malicious code present - only documentation files exist

✓ No sensitive file access patterns detected

✓ No network exfiltration indicators

✓ No obfuscation or base64-encoded payloads

✓ No credential harvesting mechanisms

✓ No suspicious dependencies or supply chain risks