requirement-checker 安全扫描报告 — 低风险 | ClawSafe

20 /100

requirement-checker

需求文档规范自动检查技能（AI 驱动 + 智能引导）— LLM-powered requirement document validator

A legitimate requirement document checker that uses LLM APIs to validate documents. No malicious behavior detected. The primary concern is a hardcoded API key stored in config.json which is used locally for API calls rather than exfiltrated.

技能名称requirement-checker

分析耗时57.6s

引擎pi

✓

可以安装

Move the hardcoded API key from config.json to environment variables or prompt for it at runtime. Add config.json to .gitignore to prevent credential leakage.

安全发现 3 项

严重性	安全发现	位置
中危	Hardcoded API Key in config.json config.json contains a real API key 'sk-sp-d808a63f016c4e77b83c5165ecf1e400' which is used for LLM API calls. While the key is not exfiltrated (used only for local API calls), storing credentials in config files risks exposure if the repo is committed to version control. `"api_key": "sk-sp-d808a63f016c4e77b83c5165ecf1e400"` → Move API key to environment variable (OPENAI_API_KEY). Prompt user for key at first run. Add config.json to .gitignore.	`config.json:27`
低危	Environment variable access not declared SKILL.md does not declare that the skill reads OPENAI_API_KEY and OPENAI_BASE_URL from environment variables. This is benign (used for legitimate API configuration) but should be documented for transparency. `api_key = os.getenv('OPENAI_API_KEY')` → Add environment variable access to SKILL.md declared capabilities.	`scripts/check_with_llm.py:74`
低危	Reads OpenClaw user config for API credentials scan_openclaw_providers() reads ~/.openclaw/openclaw.json to find LLM provider credentials. This is a legitimate fallback mechanism but accesses user configuration files. `config_path = Path.home() / '.openclaw' / 'openclaw.json'` → Document this behavior in SKILL.md and ensure the tool only reads API keys, not other sensitive data from the config.	`scripts/check_with_llm.py:113`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	Reads requirement docs, writes reports to output dir — necessary for the feature
网络访问	`READ`	`READ`	✓ 一致	Makes POST requests to configured LLM API (dashscope) for document checking only
环境变量	`NONE`	`READ`	✓ 一致	Reads OPENAI_API_KEY, OPENAI_BASE_URL from env; not declared in SKILL.md but ben…
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found in codebase
技能调用	`WRITE`	`WRITE`	✓ 一致	Uses sessions_spawn with subagent runtime as documented in SKILL.md

1 高危 8 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your-api-key-here"

README.md:121

🔗

中危外部 URL 外部 URL

https://coding.dashscope.aliyuncs.com/v1

OPTIMIZATION_SUMMARY.md:137

🔗

中危外部 URL 外部 URL

https://clawhub.ai

README.md:411

🔗

中危外部 URL 外部 URL

https://docs.openclaw.ai

README.md:412

🔗

中危外部 URL 外部 URL

https://discord.com/invite/clawd

README.md:413

🔗

中危外部 URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1

generate_gwt_llm.py:33

🔗

中危外部 URL 外部 URL

https://www.figma.com/file/xxx

references/templates.md:90

🔗

中危外部 URL 外部 URL

https://coding.dashscope.aliyuncs.com/v1）:

scripts/check_with_llm.py:268

目录结构

22 文件 · 244.0 KB · 7244 行

Python 14f · 5426L Markdown 6f · 1690L Shell 1f · 91L JSON 1f · 37L

├─ ▾ 📁 references

│ ├─ 📝 checklist.md Markdown 141L · 3.6 KB

│ ├─ 📝 llm-enhanced.md Markdown 283L · 6.9 KB

│ └─ 📝 templates.md Markdown 288L · 7.0 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 batch_check_ai.py Python 582L · 23.5 KB

│ ├─ 🐍 batch_check_with_agent.py Python 116L · 3.2 KB

│ ├─ 🐍 batch_check.py Python 665L · 26.0 KB

│ ├─ 🐍 check_requirement_agent.py Python 754L · 28.8 KB

│ ├─ 🐍 check_requirement_enhanced.py Python 233L · 14.1 KB

│ ├─ 🐍 check_requirement_llm.py Python 471L · 16.0 KB

│ ├─ 🐍 check_requirement.py Python 407L · 18.6 KB

│ ├─ 🐍 check_with_llm.py Python 600L · 19.2 KB

│ ├─ 🐍 generate_gwt.py Python 190L · 7.3 KB

│ ├─ 🐍 parse_requirement.py Python 532L · 17.3 KB

│ └─ 🐍 test_config.py Python 93L · 2.7 KB

├─ 🐍 check_requirement.py Python 405L · 13.1 KB

├─ 🔑 config.json ⚠ JSON 37L · 881 B

├─ 🐍 generate_gwt_llm.py Python 205L · 5.9 KB

├─ 🐍 generate_gwt_with_llm.py Python 173L · 5.0 KB

├─ 📝 OPTIMIZATION_SUMMARY.md Markdown 380L · 8.3 KB

├─ 📝 README.md Markdown 416L · 9.8 KB

├─ 🔧 setup_api.sh Shell 91L · 2.3 KB

└─ 📝 SKILL.md Markdown 182L · 4.5 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`requests`	`not pinned`	pip	否	requests library used for LLM API calls; version not pinned in requirements
`python-docx`	`not pinned`	pip	否	Optional dependency for Word document parsing; version not pinned

安全亮点

✓ No subprocess, shell execution, or command injection found

✓ No base64-encoded payloads or eval/exec patterns

✓ No credential exfiltration — API key stays local and is sent only to configured LLM endpoint

✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2 communication, or data theft patterns

✓ Uses sessions_spawn with subagent runtime as documented in SKILL.md

✓ No suspicious download or remote script execution (no curl|bash or wget|sh)

✓ All network requests go to the configured LLM API endpoint only