中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:22 小时前 重新扫描
15 /100
snappwd-share
Securely share secrets, API keys, files, and credentials with OpenClaw agents and team members via self-destructing links
This is a legitimate secret-sharing skill that redirects users to use an external CLI tool (snappwd) or web interface for secure credential sharing. No malicious behavior detected - all functionality is declared and aligns with documented behavior.
技能名称snappwd-share
分析耗时34.7s
引擎pi
可以安装
This skill is safe to use. Consider pinning the @snappwd/cli version in documentation to reduce supply chain risk. The skill merely guides users to use the external tool rather than implementing the sharing mechanism directly.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned npm package dependency 供应链
The documentation instructs users to install @snappwd/cli without a version pin ('npm install -g @snappwd/cli'). This creates a minor supply chain risk as the package could be updated with malicious code in the future.
npm install -g @snappwd/cli
→ Consider specifying a version: npm install -g @snappwd/cli@latest or recommend reviewing the package before installation
 SKILL.md:48
资源类型声明权限推断权限状态证据
文件系统 NONE NONE Skill does not directly access filesystem - merely guides users to share files v…
网络访问 READ READ ✓ 一致 SKILL.md declares network access via external snappwd.io service
命令执行 NONE READ ✓ 一致 scripts/snappwd-share.sh uses 'snappwd put' command - declared as CLI integratio…
环境变量 NONE NONE No environment variable access detected
技能调用 NONE NONE No skill-to-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
7 项发现
🔗
中危 外部 URL 外部 URL
https://snappwd.io**:
SKILL.md:22
🔗
中危 外部 URL 外部 URL
https://snappwd.io
SKILL.md:25
🔗
中危 外部 URL 外部 URL
https://snappwd.io/g/abc123...#encryption-key...
SKILL.md:54
🔗
中危 外部 URL 外部 URL
https://snappwd.io/g/abc123def456...#encryption-key...
references/cli-usage.md:19
🔗
中危 外部 URL 外部 URL
https://snappwd.io/g/abc123...#key...
references/cli-usage.md:43
🔗
中危 外部 URL 外部 URL
https://secrets.your-domain.com/api/v1
references/cli-usage.md:73
🔗
中危 外部 URL 外部 URL
https://snappwd.io/g/
references/cli-usage.md:82

目录结构

4 文件 · 10.7 KB · 360 行
Markdown 3f · 320L Shell 1f · 40L
├─ 📁 references
│ ├─ 📝 cli-usage.md Markdown 85L · 1.5 KB
│ └─ 📝 security-model.md Markdown 110L · 3.3 KB
├─ 📁 scripts
│ └─ 🔧 snappwd-share.sh Shell 40L · 967 B
└─ 📝 SKILL.md Markdown 125L · 4.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@snappwd/cli * npm Version not pinned - installed via 'npm install -g @snappwd/cli'

安全亮点

✓ All functionality is clearly documented in SKILL.md with no hidden behavior
✓ Skill implements zero-knowledge encryption design - server never sees plaintext secrets
✓ One-time links with self-destruct mechanism prevents credential reuse
✓ Key-in-URL-fragment approach ensures encryption key never reaches the server
✓ No credential harvesting - skill is designed to help users SHARE secrets safely, not steal them
✓ No base64 obfuscation, reverse shells, or C2 communication detected
✓ References to sensitive paths (like ~/.ssh/id_rsa) are examples of what users CAN share, not what the skill accesses
✓ Shell execution is limited to documented CLI tool invocation for secret sharing