weekly-menu 安全扫描报告 — 可信 | ClawSafe

5 /100

weekly-menu

Generate a weekly meal plan with images, recipes, and shopping lists via Xiaohongshu search and Feishu document creation

This is a pure-documentation skill with no executable code — it defines a workflow for generating weekly meal plans via Feishu API and Xiaohongshu search, with all capabilities fully declared in SKILL.md.

技能名称weekly-menu

分析耗时28.3s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

安全发现 1 项

严重性	安全发现	位置
低危	References workspace paths without confirming bundled files 文档欺骗 SKILL.md references meals/profile.yaml and workspace/tmp/dishes/ but these are user-created runtime paths, not skill-bundled files. This is borderline misleading but acceptable as the skill is designed to create user-specific files on first run. `User profile at meals/profile.yaml (see references/profile-template.yaml)` → Clarify that meals/profile.yaml is a user-created file, not included in the skill bundle.	`SKILL.md:11`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md reads meals/profile.yaml, meals/history.yaml; references/profile-templa…
网络访问	`READ`	`READ`	✓ 一致	curl downloads dish images from free sources; Feishu API calls documented in ref…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md line 62: curl -sL downloads images to workspace/tmp/dishes/ — declared …
环境变量	`NONE`	`NONE`	—	No environment variable access found; credentials sourced from ~/.openclaw/openc…
技能调用	`READ`	`READ`	✓ 一致	SKILL.md line 35: mcporter call 'xiaohongshu.search_feeds(...)' — declares depen…
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser automation detected
数据库	`NONE`	`NONE`	—	No database access detected

6 项发现

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

references/feishu-doc-recipe.md:8

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/docx/v1/documents

references/feishu-doc-recipe.md:18

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/drive/v1/permissions/

references/feishu-doc-recipe.md:29

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/drive/v1/medias/upload_all

references/feishu-doc-recipe.md:70

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/docx/v1/documents/

references/feishu-doc-recipe.md:84

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/drive/v1/files/

references/feishu-doc-recipe.md:95

目录结构

3 文件 · 10.4 KB · 344 行

Markdown 2f · 240L YAML 1f · 104L

├─ ▾ 📁 references

│ ├─ 📝 feishu-doc-recipe.md Markdown 113L · 3.6 KB

│ └─ 📋 profile-template.yaml YAML 104L · 1.9 KB

└─ 📝 SKILL.md Markdown 127L · 4.9 KB

安全亮点

✓ No executable code (scripts, Python, JavaScript) — purely documentation

✓ All network calls are to documented Feishu API endpoints (open.feishu.cn)

✓ Image downloads use curl with explicit timeout flags (--connect-timeout 10 --max-time 20) — bounded execution

✓ Credential access (Feishu app_id/secret) is declared and reads from a standard config file (~/.openclaw/openclaw.json)

✓ Xiaohongshu search is delegated to the agent-reach skill, not implemented directly

✓ No credential harvesting, data exfiltration, base64 encoding, or obfuscation observed

✓ All file system access (profile.yaml, history.yaml) is declared and scoped to user data files

✓ SKILL.md clearly documents prerequisites, workflow steps, and file references