reviewer-rebuttal-coach Security Report — Low Risk | ClawSafe

10 /100

reviewer-rebuttal-coach

从剪贴板读取审稿意见、导师批注或评审反馈，生成逐条回复、修改计划与优先级建议

A minimal-risk clipboard reading skill that uses a single documented macOS command (pbpaste) to extract text, with no hidden functionality or data exfiltration.

Skill Namereviewer-rebuttal-coach

Duration26.5s

Enginepi

✓

Safe to install

This skill is safe to use. The shell:WRITE permission is narrowly scoped to the pbpaste utility as documented. Consider adding clipboard:READ to the declared capabilities for clarity.

Findings 2 items

Severity	Finding	Location
Low	Shell execution not strictly scoped to clipboard Priv Escalation While pbpaste is documented, execSync could theoretically run any shell command. However, the code only passes 'pbpaste' with no user input. `execSync("pbpaste", { encoding: "utf8" })` → Consider using Node's native clipboard API or explicitly documenting that only pbpaste is invoked.	`scripts/read_clipboard.mjs:4`
Low	Clipboard access not explicitly declared Doc Mismatch The skill reads clipboard but clipboard:READ is not declared in metadata. Access is implicit through the pbpaste shell command. `metadata: {"openclaw":{"requires":{"bins":["node","pbpaste"]}}}` → Add clipboard:READ to the declared capabilities for complete transparency.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md metadata.requires.bins declares 'pbpaste' command
Clipboard	`NONE`	`READ`	✓ Aligned	Functionality reads clipboard but not explicitly declared; justified by pbpaste
Filesystem	`NONE`	`NONE`	—	No file operations in read_clipboard.mjs
Network	`NONE`	`NONE`	—	No network requests in any file

File Tree

4 files · 2.0 KB · 90 lines

Markdown 3f · 71L JavaScript 1f · 19L

├─ ▾ 📁 scripts

│ └─ 📜 read_clipboard.mjs JavaScript 19L · 445 B

├─ 📝 CHANGELOG.md Markdown 6L · 157 B

├─ 📝 README.md Markdown 26L · 483 B

└─ 📝 SKILL.md Markdown 39L · 980 B

Security Positives

✓ No external network requests or data exfiltration

✓ No credential harvesting or environment variable access

✓ No file system writes or sensitive path access

✓ No obfuscation, base64 encoding, or anti-analysis patterns

✓ Functionality is straightforward and matches documentation

✓ Only uses a single, documented macOS utility (pbpaste)

✓ Error handling present for empty clipboard scenarios

Scan Report

Findings 2 items

File Tree

Security Positives