bark 安全扫描报告 — 低风险 | ClawSafe

10 /100

bark

Send push notifications to iOS devices via Bark app

Bark notification skill is a legitimate push notification tool with no malicious behavior - all capabilities are documented and proportional to the stated functionality.

技能名称bark

分析耗时22.6s

引擎pi

✓

可以安装

Skill is safe to use. No action required.

安全发现 1 项

严重性	安全发现	位置
低危	Shell execution implied but not declared in capability mapping SKILL.md shows curl commands which require shell execution, but the capability mapping only explicitly declares filesystem:READ and network:READ. Shell:WRITE is implied by curl usage. `curl -s -X POST "https://api.day.app/$KEY"` → Add shell:WRITE to declared capabilities if the agent will execute curl commands directly.	`SKILL.md:48`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md: Reads ~/.bark/key
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Makes POST/GET to api.day.app
命令执行	`NONE`	`WRITE`	✓ 一致	SKILL.md: curl commands suggest shell:WRITE but not explicitly declared

3 项发现

🔗

中危外部 URL 外部 URL

https://api.day.app/

SKILL.md:18

🔗

中危外部 URL 外部 URL

https://api.day.app/$KEY

SKILL.md:49

🔗

中危外部 URL 外部 URL

https://api.day.app/yourkey

SKILL.md:91

目录结构

1 文件 · 3.2 KB · 101 行

Markdown 1f · 101L

└─ 📝 SKILL.md Markdown 101L · 3.2 KB

安全亮点

✓ No hidden functionality - SKILL.md accurately describes all behavior

✓ No credential exfiltration - ~/.bark/key is read but only used locally for notification API

✓ Network calls only to legitimate Bark API server (api.day.app)

✓ No suspicious patterns: no base64, no eval, no external IPs beyond declared server

✓ No suspicious path access beyond the designated credential file

✓ No dependency on untrusted external scripts