中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:19 hr ago Rescan
15 /100
workswith-claw
智能家居中间件 - Home Assistant integration for semantic device control, habit learning, and smart automation
Workswith Claw is a legitimate smart home middleware that integrates with Home Assistant API. No malicious behavior detected; minor documentation gaps regarding optional LLM API calls.
Skill Nameworkswith-claw
Duration93.4s
Enginepi
Safe to install
This skill is safe to use. Consider documenting the optional LLM API integration in SKILL.md and removing hardcoded fallback URLs.

Findings 3 items

Severity Finding Location
Low
LLM API integration not documented Doc Mismatch
llm_enhancer.py supports OpenAI, Anthropic, and MiniMax APIs for intent enhancement when LLM_API_KEY is configured, but this optional capability is not mentioned in SKILL.md permissions section
self.api_key = os.getenv("LLM_API_KEY", "")
→ Add LLM integration to SKILL.md permissions table if this feature is intended for production use
 src/services/llm_enhancer.py:14
Low
Hardcoded example URLs in source code Doc Mismatch
Multiple API route files contain hardcoded fallback URLs as development defaults (e.g., http://192.168.31.27:8123)
HA_URL = os.getenv("HA_URL", "http://192.168.31.27:8123")
→ Remove hardcoded IP addresses and use empty defaults that require explicit configuration
 src/api/routes/devices.py:15
Low
CORS wildcard configuration Sensitive Access
FastAPI CORS middleware is configured with allow_origins=['*'], which permits cross-origin requests from any domain
allow_origins=["*"], allow_credentials=True
→ Restrict CORS to specific trusted origins for production deployment
 src/main.py:29
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned src/services/ha_client.py:63-72
Filesystem WRITE WRITE ✓ Aligned src/api/routes/apply.py:99 - writes to ~/.homeassistant/automations/
Environment READ READ ✓ Aligned src/services/ha_client.py:17-18 - reads HA_URL, HA_TOKEN
Database WRITE WRITE ✓ Aligned src/storage/database.py - local SQLite storage
10 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/github/stars/workswith/claw?style=flat
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/github/license/workswith/claw
README.md:6
🔗
Medium External URL 外部 URL
http://192.168.x.x:8123
README.md:103
🔗
Medium External URL 外部 URL
https://www.home-assistant.io/installation/raspberry-pi
README.md:191
🔗
Medium External URL 外部 URL
https://www.home-assistant.io/
README.md:270
🔗
Medium External URL 外部 URL
http://192.168.1.x:8123
_meta.json:10
🔗
Medium External URL 外部 URL
http://192.168.31.27:8123
src/api/routes/apply.py:153
🔗
Medium External URL 外部 URL
http://homeassistant.local:8123
src/api/routes/intent.py:22
🔗
Medium External URL 外部 URL
https://api.minimax.chat/v1/text/chatcompletion_v2
src/services/llm_enhancer.py:103
🔗
Medium External URL 外部 URL
http://192.168.1.1:8123
tests/test_ha_client.py:52

File Tree

44 files · 146.0 KB · 4276 lines
Python 37f · 2836L HTML 1f · 818L Markdown 2f · 469L YAML 2f · 113L Text 1f · 27L JSON 1f · 13L
├─ 📁 config
│ └─ 📋 scenes.yaml YAML 96L · 2.4 KB
├─ 📁 src
│ ├─ 📁 api
│ │ ├─ 📁 routes
│ │ │ ├─ 🐍 __init__.py Python 0 B
│ │ │ ├─ 🐍 apply.py Python 170L · 4.9 KB
│ │ │ ├─ 🐍 dashboard.py Python 74L · 1.7 KB
│ │ │ ├─ 🐍 devices.py Python 158L · 4.5 KB
│ │ │ ├─ 🐍 health.py Python 14L · 209 B
│ │ │ ├─ 🐍 insights_v2.py Python 164L · 4.6 KB
│ │ │ ├─ 🐍 insights.py Python 102L · 4.1 KB
│ │ │ ├─ 🐍 intent.py Python 92L · 2.7 KB
│ │ │ ├─ 🐍 scenes.py Python 30L · 931 B
│ │ │ ├─ 🐍 semantic.py Python 233L · 6.7 KB
│ │ │ └─ 🐍 suggestions.py Python 116L · 3.0 KB
│ │ └─ 🐍 __init__.py Python 0 B
│ ├─ 📁 core
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ └─ 🐍 auth.py Python 39L · 864 B
│ ├─ 📁 models
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 habit.py Python 23L · 518 B
│ │ ├─ 🐍 intent.py Python 21L · 494 B
│ │ └─ 🐍 scene.py Python 26L · 492 B
│ ├─ 📁 services
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 data_collector.py Python 72L · 2.1 KB
│ │ ├─ 🐍 ha_client.py Python 143L · 4.9 KB
│ │ ├─ 🐍 habit_analyzer.py Python 158L · 4.8 KB
│ │ ├─ 🐍 intent_parser.py Python 106L · 3.5 KB
│ │ ├─ 🐍 llm_enhancer.py Python 132L · 4.6 KB
│ │ ├─ 🐍 openclaw_client.py Python 78L · 2.5 KB
│ │ ├─ 🐍 scene_engine.py Python 101L · 3.0 KB
│ │ ├─ 🐍 suggestion_engine.py Python 96L · 3.1 KB
│ │ └─ 🐍 task_orchestrator.py Python 118L · 3.4 KB
│ ├─ 📁 storage
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ └─ 🐍 database.py Python 220L · 7.4 KB
│ ├─ 🐍 __init__.py Python 0 B
│ └─ 🐍 main.py Python 50L · 1.7 KB
├─ 📁 static
│ └─ 📄 dashboard.html HTML 818L · 46.4 KB
├─ 📁 tests
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 test_ha_client.py Python 56L · 1.5 KB
│ ├─ 🐍 test_habit_analyzer.py Python 94L · 2.6 KB
│ ├─ 🐍 test_intent_parser.py Python 72L · 2.0 KB
│ └─ 🐍 test_scene_engine.py Python 78L · 1.8 KB
├─ 📋 _meta.json JSON 13L · 463 B
├─ 📋 docker-compose.yml YAML 17L · 368 B
├─ 📝 README.md Markdown 296L · 7.3 KB
├─ 📄 requirements.txt Text 27L · 382 B
└─ 📝 SKILL.md Markdown 173L · 4.0 KB

Dependencies 6 items

PackageVersionSourceKnown VulnsNotes
fastapi 0.109.0 pip No Version pinned
uvicorn 0.27.0 pip No Version pinned
aiohttp 3.9.3 pip No Version pinned
aiosqlite 0.19.0 pip No Version pinned
pydantic 2.5.3 pip No Version pinned
pyyaml 6.0.1 pip No Version pinned

Security Positives

✓ All dependencies have pinned versions in requirements.txt
✓ No obfuscated code (base64, eval, exec) found
✓ No credential harvesting beyond HA API token (which is user-configured)
✓ No reverse shell, C2, or data exfiltration patterns detected
✓ File writes are restricted to user-designated directories (~/.homeassistant/automations/)
✓ No supply chain vulnerabilities detected
✓ Core functionality (HA integration, local storage) properly documented in SKILL.md
✓ SQL injection protection via parameterized queries in database.py
✓ Singleton pattern used for HAClient to prevent credential duplication