中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
soul-in-sapphire
Long-term memory, state tracking, continuity review, and identity-change support for OpenClaw using Notion as a durable backend
A legitimate long-term-memory and continuity skill that uses a well-structured local subprocess bridge to the Notion API, with filesystem operations confined to documented paths and no credential harvesting or exfiltration.
技能名称soul-in-sapphire
分析耗时43.6s
引擎pi
可以安装
Approve for use. No actionable security concerns found.
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 setup_ltm.js:identityName() reads IDENTITY.md; emostate_tick.js updates memory/n…
网络访问 READ READ ✓ 一致 notionctl_bridge.js:runApi() proxies all API calls through local notionctl.mjs s…
命令执行 WRITE WRITE ✓ 一致 notionctl_bridge.js:17 uses execFileSync('node', args) — declared in SKILL.md me…
环境变量 READ READ ✓ 一致 notionctl_bridge.js:9 reads NOTIONCTL_PATH; emostate_tick.js does not iterate os…
技能调用 WRITE WRITE ✓ 一致 SKILL.md declares 'dependsOnSkills': ['notion-api-automation']; notionctl_bridge…
剪贴板 NONE NONE No clipboard access found in any script
浏览器 NONE NONE No browser automation in any script
数据库 WRITE WRITE ✓ 一致 All write scripts (emostate_tick.js, journal_write.js, ltm_write.js) create Noti…
1 项发现
🔗
中危 外部 URL 外部 URL
https://www.notion.so/my-integrations
README.md:159

目录结构

17 文件 · 77.3 KB · 2257 行
JavaScript 11f · 1494L Markdown 2f · 721L JSON 4f · 42L
├─ 📁 scripts
│ ├─ 📜 conflict_track.js JavaScript 80L · 2.5 KB
│ ├─ 📜 continuity_check.js JavaScript 136L · 4.7 KB
│ ├─ 📜 emostate_tick.js JavaScript 442L · 13.5 KB
│ ├─ 📜 identity_diff.js JavaScript 90L · 3.2 KB
│ ├─ 📋 input.json JSON 10L · 1.6 KB
│ ├─ 📜 journal_patch_schema.js JavaScript 42L · 1.4 KB
│ ├─ 📜 journal_write.js JavaScript 119L · 3.9 KB
│ ├─ 📜 ltm_search.js JavaScript 67L · 2.2 KB
│ ├─ 📜 ltm_write.js JavaScript 48L · 1.9 KB
│ ├─ 📜 notionctl_bridge.js JavaScript 190L · 6.3 KB
│ ├─ 📜 setup_ltm.js JavaScript 230L · 8.3 KB
│ └─ 📜 state_recall.js JavaScript 50L · 1.7 KB
├─ 📁 state
│ └─ 📋 subagent-models.json JSON 17L · 293 B
├─ 📋 package-lock.json JSON 10L · 147 B
├─ 📋 package.json JSON 5L · 72 B
├─ 📝 README.md Markdown 295L · 9.4 KB
└─ 📝 SKILL.md Markdown 426L · 16.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
node (runtime) required system Runtime dependency; no npm packages declared in package.json

安全亮点

✓ No credential harvesting — NOTION_API_KEY is consumed only for Notion authentication, not exfiltrated
✓ No sensitive path access — ~/.ssh, ~/.aws, .env files are not read
✓ No obfuscation — all code is clean ESM JavaScript with readable structure
✓ No remote script execution — no curl|bash, wget|sh, or eval() of encoded strings
✓ No base64-encoded execution or anti-analysis techniques
✓ Doc-to-code match is excellent — SKILL.md accurately describes all implemented behavior
✓ Subprocess via execFileSync is limited to the documented notionctl.mjs entrypoint
✓ Local filesystem writes are confined to documented paths (memory/, state/)
✓ Dependency surface is minimal — package.json has no external npm dependencies
✓ All API interactions go exclusively through the official Notion API
✓ Conflict records and state snapshots are append-only local artifacts with no outbound transmission