daily-idiom Security Report — Trusted | ClawSafe

5 /100

daily-idiom

每日成语学习 — Daily Chinese idiom learning with story, usage, examples, and quiz

A legitimate daily Chinese idiom learning skill with no malicious behavior detected.

Skill Namedaily-idiom

Duration26.4s

Enginepi

✓

Safe to install

This skill is safe to use. The implementation is straightforward educational content generation with push notification management.

Findings 1 items

Severity	Finding	Location
Low	Dependencies not version pinned package.json does not pin specific versions for dependencies. However, this is low risk since only built-in Node.js modules (fs, path) are used. `"dependencies": {}` → Consider adding pinned versions if external dependencies are added in the future.	`package.json:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	SKILL.md declares node runtime; scripts read/write to data/users/ for user prefe…
Network	`NONE`	`NONE`	—	No network access in any scripts
Shell	`READ`	`READ`	✓ Aligned	Only documented node script invocations
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

1 findings

🔗

Medium External URL 外部 URL

https://openclaw.ai

README.md:5

7 files · 9.8 KB · 214 lines

Markdown 2f · 114L JavaScript 3f · 85L JSON 2f · 15L

├─ ▾ 📁 scripts

│ ├─ 📜 evening-push.js JavaScript 18L · 1.3 KB

│ ├─ 📜 morning-push.js JavaScript 18L · 1.5 KB

│ └─ 📜 push-toggle.js JavaScript 49L · 3.5 KB

├─ 📋 _meta.json JSON 7L · 137 B

├─ 📋 package.json JSON 8L · 153 B

├─ 📝 README.md Markdown 53L · 1.6 KB

└─ 📝 SKILL.md Markdown 61L · 1.6 KB

Package	Version	Source	Known Vulns	Notes
`(built-in only)`	`N/A`	Node.js stdlib	No	Uses only built-in modules: fs, path

✓ Path traversal protection implemented via safeUserPath() function with directory boundary checks

✓ Input validation on userId using strict regex pattern /^[a-zA-Z0-9_-]{1,128}$/

✓ Time sanitization prevents invalid cron expressions

✓ No credential harvesting or exfiltration

✓ No base64, eval(), or dynamic code execution

✓ No external network connections or IP addresses

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No curl|bash or wget|sh remote script execution

✓ Uses only built-in Node.js modules (fs, path)

✓ Clear documentation of functionality in SKILL.md