中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 18/100
Last scan:2 days ago Rescan
18 /100
communityos-lite
Simple Telegram Bot management with LLM and knowledge base. Local-only, no external dependencies.
CommunityOS-Lite is a legitimate Telegram bot management tool with clear security documentation. No malicious behavior detected - all sensitive operations (subprocess, network, env access) are documented or necessary for core functionality.
Skill Namecommunityos-lite
Duration59.4s
Enginepi
Safe to install
Accept for use. Consider enabling authentication via reverse proxy if exposing beyond localhost. Pin all dependency versions for reproducibility.

Findings 3 items

Severity Finding Location
Low
Unpinned Dependencies
requests==2.31.0, fastapi==0.109.0, uvicorn[standard]==0.27.0 lack upper version bounds. chromadb==0.4.22 has known CVEs (CVE-2024-3755).
fastapi==0.109.0
uvicorn[standard]==0.27.0
→ Pin maximum versions: requests>=2.31.0,<2.32.0; fastapi>=0.109.0,<0.110.0. Consider upgrading chromadb.
 requirements.txt:1
Info
Missing LLM Module
bot_engine/llm.py is imported but not present in the codebase. LLM features will fail.
from bot_engine.llm import LLMFactory
→ Include the LLM factory module or document as a separate package dependency.
 bot_engine/bot_instance.py:77
Info
API Key Stored in Config
LLM API key is stored in admin/data/llm_config.json when user saves via UI. Documented as local-only.
save_json('llm_config', config)
→ Document this clearly; consider using a secrets manager for production deployments.
 admin/app.py:680
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md: Creates JSON configs, knowledge base files
Network READ READ ✓ Aligned SKILL.md: 'Outbound Network - Makes calls to Telegram API and LLM providers'
Shell WRITE WRITE ✓ Aligned admin/app.py:1130 - subprocess.Popen starts telegram_runner.py
Environment READ READ ✓ Aligned SKILL.md: Lists TELEGRAM_BOT_TOKEN, MINIMAX_API_KEY etc.
6 findings
🔗
Medium External URL 外部 URL
http://127.0.0.1:8877/lite
SKILL.md:52
🔗
Medium External URL 外部 URL
https://api.example.com/news
admin/app.py:142
🔗
Medium External URL 外部 URL
https://feeds.example.com/web3
admin/app.py:164
🔗
Medium External URL 外部 URL
https://api.telegram.org/bot
admin/app.py:463
🔗
Medium External URL 外部 URL
https://your-domain/api/telegram/webhook/
admin/app.py:1208
🔗
Medium External URL 外部 URL
https://api.example.com/v1
admin/lite.html:167

File Tree

14 files · 107.4 KB · 2667 lines
Python 6f · 1823L HTML 3f · 554L JSON 2f · 145L Markdown 2f · 138L Text 1f · 7L
├─ 📁 admin
│ ├─ 📁 templates
│ │ ├─ 📄 index.html HTML 6L · 154 B
│ │ └─ 📄 login.html HTML 19L · 568 B
│ ├─ 🐍 app.py Python 1321L · 59.8 KB
│ ├─ 📄 lite.html HTML 529L · 21.0 KB
│ └─ 🐍 telegram_runner.py Python 159L · 5.6 KB
├─ 📁 bot_engine
│ ├─ 🐍 __init__.py Python 1L · 25 B
│ ├─ 🐍 bot_instance.py Python 117L · 3.9 KB
│ ├─ 🐍 config_parser.py Python 63L · 2.3 KB
│ └─ 🐍 manager.py Python 162L · 6.3 KB
├─ 📁 config
│ └─ 📋 openclaw.json JSON 131L · 3.7 KB
├─ 📋 _meta.json JSON 14L · 487 B
├─ 📝 README.md Markdown 69L · 1.6 KB
├─ 📄 requirements.txt Text 7L · 129 B
└─ 📝 SKILL.md Markdown 69L · 1.9 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
chromadb 0.4.22 pip Yes Known CVE-2024-3755 - upgrade to >=0.5.0 recommended
requests 2.31.0 pip No Version pinned but no upper bound
fastapi 0.109.0 pip No Version pinned but no upper bound
uvicorn 0.27.0 pip No Version pinned but no upper bound

Security Positives

✓ SKILL.md explicitly documents all security-relevant behaviors
✓ Local-only binding (127.0.0.1:8877) is enforced and documented
✓ No authentication bypass hidden from user - clearly warned in SKILL.md
✓ No obfuscation, base64 payloads, or reverse shell patterns
✓ No exfiltration of credentials to third-party endpoints
✓ API keys sourced from environment variables (not hardcoded)
✓ File operations are scoped to skill's working directory