workout-tracker 安全扫描报告 — 低风险 | ClawSafe

15 /100

workout-tracker

Personal fitness tracker - records workout data, parses movements/sets/reps/weight, writes to local MySQL database

A legitimate fitness tracking skill with proper SQL injection protection, local-only database access, and parameterized queries. The placeholder passwords in documentation are clearly marked as examples for user replacement.

技能名称workout-tracker

分析耗时36.8s

引擎pi

✓

可以安装

No immediate action required. The skill follows security best practices. Consider updating documentation to use more visibly placeholder-style passwords (e.g., 'REPLACE_WITH_YOUR_PASSWORD') to reduce confusion.

安全发现 2 项

严重性	安全发现	位置
低危	Placeholder passwords in documentation 文档欺骗 SKILL.md and TOOLS.md contain example passwords like 'your_secure_password' and 'temporary_password'. While clearly marked as placeholders, using more distinctive placeholder format (e.g., '<YOUR_PASSWORD>') would improve clarity. `MYSQL_PASSWORD="your_secure_password"` → Use clearly identifiable placeholder format like 'YOUR_PASSWORD_HERE' or '<REPLACE_ME>' in documentation.	`SKILL.md:30`
提示	Reads .env configuration file 敏感访问 Both Python scripts load configuration from .workout-tracker.env file if present. This is documented behavior for convenience. `load_env_file(env_file='.workout-tracker.env')` → This is expected and documented behavior. Ensure .env files are in .gitignore.	`scripts/init_database.py:89`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Reads .env files for config loading, documented in SKILL.md
网络访问	`READ`	`READ`	✓ 一致	package.json repository URL only, no runtime network access
命令执行	`NONE`	`NONE`	—	No shell execution in Python scripts
环境变量	`READ`	`READ`	✓ 一致	Reads MYSQL_* env vars for database connection
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`WRITE`	`WRITE`	✓ 一致	Local MySQL via unix_socket only, fully documented

3 高危 4 项发现

🔑

高危 API 密钥疑似硬编码凭证

PASSWORD="your_secure_password"

SKILL.md:30

🔑

高危 API 密钥疑似硬编码凭证

PASSWORD="your_secure_password_here"

SKILL.md:91

🔑

高危 API 密钥疑似硬编码凭证

PASSWORD="temporary_password"

TOOLS.md:66

🔗

中危外部 URL 外部 URL

https://clawhub.ai/query1988/workout-tracker

package.json:18

目录结构

6 文件 · 40.7 KB · 1267 行

Markdown 3f · 848L Python 2f · 361L JSON 1f · 58L

├─ ▾ 📁 scripts

│ ├─ 🐍 init_database.py Python 202L · 6.3 KB

│ └─ 🐍 verify_setup.py Python 159L · 5.3 KB

├─ 📋 package.json JSON 58L · 1.4 KB

├─ 📝 README.md Markdown 136L · 3.9 KB

├─ 📝 SKILL.md Markdown 552L · 19.5 KB

└─ 📝 TOOLS.md Markdown 160L · 4.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`mysql-connector-python`	`*`	pip	否	Version not pinned but package is from Oracle, widely used

安全亮点

✓ All SQL queries use parameterized statements preventing SQL injection

✓ Local-only database connection via unix socket, no remote access

✓ Database user follows least privilege principle (INSERT/SELECT/UPDATE/DELETE only)

✓ Strong input validation documentation with clear do/don't examples

✓ No hardcoded credentials in Python scripts

✓ No network exfiltration or C2 communication detected

✓ No obfuscation or encoded payloads found

✓ No sensitive file path access (ssh, aws credentials, etc.)

✓ Comprehensive security audit checklist in documentation

✓ Error messages do not leak database structure