中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
requirement-checker
需求文档规范自动检查技能(AI 驱动 + 智能引导)— LLM-powered requirement document validator
A legitimate requirement document checker that uses LLM APIs to validate documents. No malicious behavior detected. The primary concern is a hardcoded API key stored in config.json which is used locally for API calls rather than exfiltrated.
Skill Namerequirement-checker
Duration57.6s
Enginepi
Safe to install
Move the hardcoded API key from config.json to environment variables or prompt for it at runtime. Add config.json to .gitignore to prevent credential leakage.

Findings 3 items

Severity Finding Location
Medium
Hardcoded API Key in config.json
config.json contains a real API key 'sk-sp-d808a63f016c4e77b83c5165ecf1e400' which is used for LLM API calls. While the key is not exfiltrated (used only for local API calls), storing credentials in config files risks exposure if the repo is committed to version control.
"api_key": "sk-sp-d808a63f016c4e77b83c5165ecf1e400"
→ Move API key to environment variable (OPENAI_API_KEY). Prompt user for key at first run. Add config.json to .gitignore.
 config.json:27
Low
Environment variable access not declared
SKILL.md does not declare that the skill reads OPENAI_API_KEY and OPENAI_BASE_URL from environment variables. This is benign (used for legitimate API configuration) but should be documented for transparency.
api_key = os.getenv('OPENAI_API_KEY')
→ Add environment variable access to SKILL.md declared capabilities.
 scripts/check_with_llm.py:74
Low
Reads OpenClaw user config for API credentials
scan_openclaw_providers() reads ~/.openclaw/openclaw.json to find LLM provider credentials. This is a legitimate fallback mechanism but accesses user configuration files.
config_path = Path.home() / '.openclaw' / 'openclaw.json'
→ Document this behavior in SKILL.md and ensure the tool only reads API keys, not other sensitive data from the config.
 scripts/check_with_llm.py:113
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned Reads requirement docs, writes reports to output dir — necessary for the feature
Network READ READ ✓ Aligned Makes POST requests to configured LLM API (dashscope) for document checking only
Environment NONE READ ✓ Aligned Reads OPENAI_API_KEY, OPENAI_BASE_URL from env; not declared in SKILL.md but ben…
Shell NONE NONE No subprocess or shell execution found in codebase
Skill Invoke WRITE WRITE ✓ Aligned Uses sessions_spawn with subagent runtime as documented in SKILL.md
1 High 8 findings
🔑
High API Key 疑似硬编码凭证
API_KEY="your-api-key-here"
README.md:121
🔗
Medium External URL 外部 URL
https://coding.dashscope.aliyuncs.com/v1
OPTIMIZATION_SUMMARY.md:137
🔗
Medium External URL 外部 URL
https://clawhub.ai
README.md:411
🔗
Medium External URL 外部 URL
https://docs.openclaw.ai
README.md:412
🔗
Medium External URL 外部 URL
https://discord.com/invite/clawd
README.md:413
🔗
Medium External URL 外部 URL
https://dashscope.aliyuncs.com/compatible-mode/v1
generate_gwt_llm.py:33
🔗
Medium External URL 外部 URL
https://www.figma.com/file/xxx
references/templates.md:90
🔗
Medium External URL 外部 URL
https://coding.dashscope.aliyuncs.com/v1):
scripts/check_with_llm.py:268

File Tree

22 files · 244.0 KB · 7244 lines
Python 14f · 5426L Markdown 6f · 1690L Shell 1f · 91L JSON 1f · 37L
├─ 📁 references
│ ├─ 📝 checklist.md Markdown 141L · 3.6 KB
│ ├─ 📝 llm-enhanced.md Markdown 283L · 6.9 KB
│ └─ 📝 templates.md Markdown 288L · 7.0 KB
├─ 📁 scripts
│ ├─ 🐍 batch_check_ai.py Python 582L · 23.5 KB
│ ├─ 🐍 batch_check_with_agent.py Python 116L · 3.2 KB
│ ├─ 🐍 batch_check.py Python 665L · 26.0 KB
│ ├─ 🐍 check_requirement_agent.py Python 754L · 28.8 KB
│ ├─ 🐍 check_requirement_enhanced.py Python 233L · 14.1 KB
│ ├─ 🐍 check_requirement_llm.py Python 471L · 16.0 KB
│ ├─ 🐍 check_requirement.py Python 407L · 18.6 KB
│ ├─ 🐍 check_with_llm.py Python 600L · 19.2 KB
│ ├─ 🐍 generate_gwt.py Python 190L · 7.3 KB
│ ├─ 🐍 parse_requirement.py Python 532L · 17.3 KB
│ └─ 🐍 test_config.py Python 93L · 2.7 KB
├─ 🐍 check_requirement.py Python 405L · 13.1 KB
├─ 🔑 config.json JSON 37L · 881 B
├─ 🐍 generate_gwt_llm.py Python 205L · 5.9 KB
├─ 🐍 generate_gwt_with_llm.py Python 173L · 5.0 KB
├─ 📝 OPTIMIZATION_SUMMARY.md Markdown 380L · 8.3 KB
├─ 📝 README.md Markdown 416L · 9.8 KB
├─ 🔧 setup_api.sh Shell 91L · 2.3 KB
└─ 📝 SKILL.md Markdown 182L · 4.5 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
requests not pinned pip No requests library used for LLM API calls; version not pinned in requirements
python-docx not pinned pip No Optional dependency for Word document parsing; version not pinned

Security Positives

✓ No subprocess, shell execution, or command injection found
✓ No base64-encoded payloads or eval/exec patterns
✓ No credential exfiltration — API key stays local and is sent only to configured LLM endpoint
✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)
✓ No reverse shell, C2 communication, or data theft patterns
✓ Uses sessions_spawn with subagent runtime as documented in SKILL.md
✓ No suspicious download or remote script execution (no curl|bash or wget|sh)
✓ All network requests go to the configured LLM API endpoint only