中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:17 小时前 重新扫描
5 /100
knowledge-graph-builder
知识图谱构建工具。从文档中自动提取知识和关系,支持图谱可视化、语义搜索、多种导出格式。
This is a legitimate knowledge graph builder skill with entirely stub implementations (TODO-only code). No malicious behavior, credential theft, network exfiltration, or obfuscation was found.
技能名称knowledge-graph-builder
分析耗时45.5s
引擎pi
可以安装
No action needed. This skill is safe to use. Note that it contains no functional implementation yet — all core modules are TODO stubs.

安全发现 2 项

严重性 安全发现 位置
低危
Dependencies loosely pinned 供应链
requirements.txt uses >= version constraints (spacy>=3.5.0, networkx>=3.0) without upper bounds, which could allow installation of unexpected future versions.
spacy>=3.5.0
networkx>=3.0
→ Pin exact versions or use compatible release operators (e.g., ~=) to ensure reproducible builds.
 requirements.txt:1
提示
Stub implementation mismatch 文档欺骗
SKILL.md advertises '知识提取', '关系识别', '图谱可视化', '语义搜索' functionality, but all core Python modules contain only TODO stubs with no functional implementation. This is a doc-code mismatch of intent but not security consequence.
TODO: 使用 PyPDF2 解析; TODO: 使用 Ollama 增强实体信息
→ Implement advertised functionality or update SKILL.md to reflect that core features are unimplemented.
 kg_builder/extractor.py, kg_builder/relation.py, kg_builder/search.py
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 kg_builder/extractor.py:64 — open(file_path, 'r')
网络访问 READ NONE ✓ 一致 No network calls in any Python file; external URLs are only in docs/visualizer H…
命令执行 NONE NONE skill.sh uses only echo/logging; no subprocess, curl, wget, or exec calls
环境变量 NONE NONE config/config.json reads NEO4J_PASSWORD and OLLAMA_BASE_URL from env, but only a…
技能调用 NONE NONE No skill-to-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 WRITE WRITE ✓ 一致 storage/sqlite_store.py:53-73 — INSERT OR REPLACE INTO entities/relations tables
2 项发现
🔗
中危 外部 URL 外部 URL
https://clawhub.com
README.md:165
🔗
中危 外部 URL 外部 URL
https://d3js.org/d3.v7.min.js
kg_builder/visualizer.py:35

目录结构

19 文件 · 41.4 KB · 1508 行
Python 12f · 960L Markdown 2f · 291L Shell 1f · 186L JSON 3f · 69L Text 1f · 2L
├─ 📁 config
│ └─ 🔑 config.json JSON 39L · 926 B
├─ 📁 kg_builder
│ ├─ 🐍 __init__.py Python 24L · 560 B
│ ├─ 🐍 extractor.py Python 112L · 3.5 KB
│ ├─ 🐍 graph.py Python 114L · 3.1 KB
│ ├─ 🐍 relation.py Python 132L · 4.2 KB
│ ├─ 🐍 search.py Python 102L · 2.8 KB
│ └─ 🐍 visualizer.py Python 71L · 2.0 KB
├─ 📁 storage
│ └─ 🐍 sqlite_store.py Python 160L · 5.2 KB
├─ 📁 tests
│ ├─ 🐍 __init__.py Python 1L · 16 B
│ ├─ 🐍 run_tests.py Python 38L · 953 B
│ ├─ 🐍 test_extractor.py Python 57L · 1.5 KB
│ ├─ 🐍 test_graph.py Python 65L · 1.8 KB
│ └─ 🐍 test_relation.py Python 84L · 2.7 KB
├─ 📋 _meta.json JSON 5L · 142 B
├─ 📋 package.json JSON 25L · 606 B
├─ 📝 README.md Markdown 170L · 3.5 KB
├─ 📄 requirements.txt Text 2L · 27 B
├─ 📝 SKILL.md Markdown 121L · 2.5 KB
└─ 🔧 skill.sh Shell 186L · 5.4 KB

依赖分析 2 项

包名版本来源已知漏洞备注
spacy >=3.5.0 pip Lower bound only, no upper cap
networkx >=3.0 pip Lower bound only, no upper cap

安全亮点

✓ No credential harvesting or environment variable exfiltration detected
✓ No subprocess, shell execution, or command injection vulnerabilities
✓ No base64-encoded payloads, eval(), or dynamic code execution
✓ No data exfiltration or C2 communication channels
✓ No obfuscation or anti-analysis techniques
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No supply_chain typosquatting or malicious dependency indicators
✓ SQLiteStorage uses parameterized queries (no SQL injection risk)
✓ Neo4j and Ollama credentials are read-only config template values, not exfiltrated