conference-schedule-optimizer 安全扫描报告 — 低风险 | ClawSafe

20 /100

conference-schedule-optimizer

Conference schedule optimization tool for scientific/medical conferences

Conference scheduling tool with declared shell permissions not actually used in code - mismatch between docs and implementation but no malicious behavior detected.

技能名称conference-schedule-optimizer

分析耗时37.0s

引擎pi

✓

可以安装

This skill is safe to use. Consider pinning allowed-tools to only Read and Write since no shell commands are executed in the actual implementation.

安全发现 2 项

严重性	安全发现	位置
低危	Shell permission declared but never used 文档欺骗 SKILL.md declares 'Bash' in allowed-tools implying shell:WRITE capability, but the actual Python implementation in scripts/main.py contains zero subprocess, os.system, or shell execution calls. The code is a pure scheduling algorithm using only stdlib json and argparse. `allowed-tools: "Read Write Bash Edit"` → Remove 'Bash' from allowed-tools since no shell commands are executed. Use only Read and Write if file output is needed.	`SKILL.md:1`
低危	No dependency documentation 供应链 The skill relies solely on Python standard library (argparse, json, datetime) but does not document this. While this is a positive security trait (no external dependencies), it should be explicitly noted. `import argparse, import json, from datetime import datetime` → Document that the skill uses only stdlib, reducing supply chain risk.	`scripts/main.py:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	scripts/main.py:42 - open(schedule_file)
文件系统	`WRITE`	`READ`	✓ 一致	SKILL.md declares Write but code only writes to --output path with json.dump
命令执行	`WRITE`	`NONE`	✗ 越权	SKILL.md declares 'Bash' but scripts/main.py contains no subprocess, os.system, …
网络访问	`NONE`	`NONE`	—	No network requests in code
环境变量	`NONE`	`NONE`	—	No os.environ access
技能调用	`NONE`	`NONE`	—	No skill invocation patterns

目录结构

3 文件 · 10.5 KB · 364 行

Markdown 1f · 220L Python 1f · 133L JSON 1f · 11L

├─ ▾ 📁 scripts

│ └─ 🐍 main.py Python 133L · 4.1 KB

├─ 📝 SKILL.md Markdown 220L · 6.0 KB

└─ 📋 tile.json JSON 11L · 345 B

安全亮点

✓ No network requests or external communications detected

✓ No credential or sensitive data access patterns

✓ No obfuscation techniques (base64, eval, or dynamic code execution)

✓ No file system abuse beyond reading/writing user-specified schedule files

✓ Uses only Python standard library - no external dependencies means no supply chain risk

✓ Clean, straightforward scheduling algorithm with no suspicious logic

✓ No hidden functionality or shadow operations

✓ MIT license provides transparency

✓ No credential harvesting or environment variable enumeration