purchase_record Security Report — Low Risk | ClawSafe

15 /100

purchase_record

采购记录管理 - 自动将采购信息写入 Excel

Legitimate purchase record management tool with minor security concerns (hardcoded paths, exec() usage) but no malicious behavior detected.

Skill Namepurchase_record

Duration33.8s

Enginepi

✓

Safe to install

Consider pinning openpyxl version and documenting the shell:WRITE permission in SKILL.md for transparency.

Findings 3 items

Severity	Finding	Location
Low	Undeclared shell execution via exec() The JavaScript entry point uses child_process.exec() to run Python scripts. While input is sanitized with quote escaping, this should be declared in SKILL.md. `exec(pythonCmd, (error, stdout, stderr) => {...})` → Add shell:WRITE to declared permissions in SKILL.md	`scripts/index.js:15`
Low	Hardcoded absolute paths Python and JavaScript scripts use hardcoded paths to specific user directories (C:\Users\Administrator.rjazz-2022BWPUD\...). This limits portability but is appropriate for a personal utility. `const PYTHON_SCRIPT_PATH = 'C:\\...'` → Consider using relative paths or environment variables for better portability	`scripts/index.js:4`
Info	Unpinned dependency The skill uses openpyxl without version pinning, which could lead to unexpected behavior if the library is updated. `import openpyxl` → Pin openpyxl version (e.g., openpyxl>=3.0.0,<4.0.0)	`scripts/record.py:5`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	openpyxl load_workbook/save to desktop path
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/index.js:15 exec() with python command
Network	`NONE`	`NONE`	—	No network requests found
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

10 files · 16.7 KB · 569 lines

Python 3f · 332L JavaScript 3f · 175L Markdown 2f · 60L JSON 2f · 2L

├─ ▾ 📁 scripts

│ ├─ 📜 add_purchase.js JavaScript 74L · 2.4 KB

│ ├─ 🐍 add_purchase.py Python 125L · 3.4 KB

│ ├─ 📜 index.js JavaScript 77L · 2.8 KB

│ ├─ 🐍 main.py Python 73L · 1.8 KB

│ ├─ 🐍 record.py Python 134L · 4.0 KB

│ └─ 📜 test.js JavaScript 24L · 651 B

├─ 🔑 config.json ⚠ JSON 1L · 143 B

├─ 📋 package.json JSON 1L · 143 B

├─ 📝 README.md Markdown 36L · 814 B

└─ 📝 SKILL.md Markdown 24L · 672 B

Package	Version	Source	Known Vulns	Notes
`openpyxl`	`unspecified`	pip	No	Version not pinned in requirements.txt
`exceljs`	`unspecified`	npm	No	Version not pinned in package.json

✓ No network requests or data exfiltration detected

✓ No credential harvesting or sensitive path access

✓ No base64-encoded payloads or obfuscated code

✓ No curl|bash or remote script execution

✓ Input sanitization present (quote escaping in exec())

✓ Legitimate use case: local Excel file manipulation only