中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:19 小时前 重新扫描
15 /100
workswith-claw
智能家居中间件 - Home Assistant integration for semantic device control, habit learning, and smart automation
Workswith Claw is a legitimate smart home middleware that integrates with Home Assistant API. No malicious behavior detected; minor documentation gaps regarding optional LLM API calls.
技能名称workswith-claw
分析耗时93.4s
引擎pi
可以安装
This skill is safe to use. Consider documenting the optional LLM API integration in SKILL.md and removing hardcoded fallback URLs.

安全发现 3 项

严重性 安全发现 位置
低危
LLM API integration not documented 文档欺骗
llm_enhancer.py supports OpenAI, Anthropic, and MiniMax APIs for intent enhancement when LLM_API_KEY is configured, but this optional capability is not mentioned in SKILL.md permissions section
self.api_key = os.getenv("LLM_API_KEY", "")
→ Add LLM integration to SKILL.md permissions table if this feature is intended for production use
 src/services/llm_enhancer.py:14
低危
Hardcoded example URLs in source code 文档欺骗
Multiple API route files contain hardcoded fallback URLs as development defaults (e.g., http://192.168.31.27:8123)
HA_URL = os.getenv("HA_URL", "http://192.168.31.27:8123")
→ Remove hardcoded IP addresses and use empty defaults that require explicit configuration
 src/api/routes/devices.py:15
低危
CORS wildcard configuration 敏感访问
FastAPI CORS middleware is configured with allow_origins=['*'], which permits cross-origin requests from any domain
allow_origins=["*"], allow_credentials=True
→ Restrict CORS to specific trusted origins for production deployment
 src/main.py:29
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 src/services/ha_client.py:63-72
文件系统 WRITE WRITE ✓ 一致 src/api/routes/apply.py:99 - writes to ~/.homeassistant/automations/
环境变量 READ READ ✓ 一致 src/services/ha_client.py:17-18 - reads HA_URL, HA_TOKEN
数据库 WRITE WRITE ✓ 一致 src/storage/database.py - local SQLite storage
10 项发现
🔗
中危 外部 URL 外部 URL
https://img.shields.io/github/stars/workswith/claw?style=flat
README.md:5
🔗
中危 外部 URL 外部 URL
https://img.shields.io/github/license/workswith/claw
README.md:6
🔗
中危 外部 URL 外部 URL
http://192.168.x.x:8123
README.md:103
🔗
中危 外部 URL 外部 URL
https://www.home-assistant.io/installation/raspberry-pi
README.md:191
🔗
中危 外部 URL 外部 URL
https://www.home-assistant.io/
README.md:270
🔗
中危 外部 URL 外部 URL
http://192.168.1.x:8123
_meta.json:10
🔗
中危 外部 URL 外部 URL
http://192.168.31.27:8123
src/api/routes/apply.py:153
🔗
中危 外部 URL 外部 URL
http://homeassistant.local:8123
src/api/routes/intent.py:22
🔗
中危 外部 URL 外部 URL
https://api.minimax.chat/v1/text/chatcompletion_v2
src/services/llm_enhancer.py:103
🔗
中危 外部 URL 外部 URL
http://192.168.1.1:8123
tests/test_ha_client.py:52

目录结构

44 文件 · 146.0 KB · 4276 行
Python 37f · 2836L HTML 1f · 818L Markdown 2f · 469L YAML 2f · 113L Text 1f · 27L JSON 1f · 13L
├─ 📁 config
│ └─ 📋 scenes.yaml YAML 96L · 2.4 KB
├─ 📁 src
│ ├─ 📁 api
│ │ ├─ 📁 routes
│ │ │ ├─ 🐍 __init__.py Python 0 B
│ │ │ ├─ 🐍 apply.py Python 170L · 4.9 KB
│ │ │ ├─ 🐍 dashboard.py Python 74L · 1.7 KB
│ │ │ ├─ 🐍 devices.py Python 158L · 4.5 KB
│ │ │ ├─ 🐍 health.py Python 14L · 209 B
│ │ │ ├─ 🐍 insights_v2.py Python 164L · 4.6 KB
│ │ │ ├─ 🐍 insights.py Python 102L · 4.1 KB
│ │ │ ├─ 🐍 intent.py Python 92L · 2.7 KB
│ │ │ ├─ 🐍 scenes.py Python 30L · 931 B
│ │ │ ├─ 🐍 semantic.py Python 233L · 6.7 KB
│ │ │ └─ 🐍 suggestions.py Python 116L · 3.0 KB
│ │ └─ 🐍 __init__.py Python 0 B
│ ├─ 📁 core
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ └─ 🐍 auth.py Python 39L · 864 B
│ ├─ 📁 models
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 habit.py Python 23L · 518 B
│ │ ├─ 🐍 intent.py Python 21L · 494 B
│ │ └─ 🐍 scene.py Python 26L · 492 B
│ ├─ 📁 services
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 data_collector.py Python 72L · 2.1 KB
│ │ ├─ 🐍 ha_client.py Python 143L · 4.9 KB
│ │ ├─ 🐍 habit_analyzer.py Python 158L · 4.8 KB
│ │ ├─ 🐍 intent_parser.py Python 106L · 3.5 KB
│ │ ├─ 🐍 llm_enhancer.py Python 132L · 4.6 KB
│ │ ├─ 🐍 openclaw_client.py Python 78L · 2.5 KB
│ │ ├─ 🐍 scene_engine.py Python 101L · 3.0 KB
│ │ ├─ 🐍 suggestion_engine.py Python 96L · 3.1 KB
│ │ └─ 🐍 task_orchestrator.py Python 118L · 3.4 KB
│ ├─ 📁 storage
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ └─ 🐍 database.py Python 220L · 7.4 KB
│ ├─ 🐍 __init__.py Python 0 B
│ └─ 🐍 main.py Python 50L · 1.7 KB
├─ 📁 static
│ └─ 📄 dashboard.html HTML 818L · 46.4 KB
├─ 📁 tests
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 test_ha_client.py Python 56L · 1.5 KB
│ ├─ 🐍 test_habit_analyzer.py Python 94L · 2.6 KB
│ ├─ 🐍 test_intent_parser.py Python 72L · 2.0 KB
│ └─ 🐍 test_scene_engine.py Python 78L · 1.8 KB
├─ 📋 _meta.json JSON 13L · 463 B
├─ 📋 docker-compose.yml YAML 17L · 368 B
├─ 📝 README.md Markdown 296L · 7.3 KB
├─ 📄 requirements.txt Text 27L · 382 B
└─ 📝 SKILL.md Markdown 173L · 4.0 KB

依赖分析 6 项

包名版本来源已知漏洞备注
fastapi 0.109.0 pip Version pinned
uvicorn 0.27.0 pip Version pinned
aiohttp 3.9.3 pip Version pinned
aiosqlite 0.19.0 pip Version pinned
pydantic 2.5.3 pip Version pinned
pyyaml 6.0.1 pip Version pinned

安全亮点

✓ All dependencies have pinned versions in requirements.txt
✓ No obfuscated code (base64, eval, exec) found
✓ No credential harvesting beyond HA API token (which is user-configured)
✓ No reverse shell, C2, or data exfiltration patterns detected
✓ File writes are restricted to user-designated directories (~/.homeassistant/automations/)
✓ No supply chain vulnerabilities detected
✓ Core functionality (HA integration, local storage) properly documented in SKILL.md
✓ SQL injection protection via parameterized queries in database.py
✓ Singleton pattern used for HAClient to prevent credential duplication