purchase_record 安全扫描报告 — 低风险 | ClawSafe

15 /100

purchase_record

采购记录管理 - 自动将采购信息写入 Excel

Legitimate purchase record management tool with minor security concerns (hardcoded paths, exec() usage) but no malicious behavior detected.

技能名称purchase_record

分析耗时33.8s

引擎pi

✓

可以安装

Consider pinning openpyxl version and documenting the shell:WRITE permission in SKILL.md for transparency.

安全发现 3 项

严重性	安全发现	位置
低危	Undeclared shell execution via exec() The JavaScript entry point uses child_process.exec() to run Python scripts. While input is sanitized with quote escaping, this should be declared in SKILL.md. `exec(pythonCmd, (error, stdout, stderr) => {...})` → Add shell:WRITE to declared permissions in SKILL.md	`scripts/index.js:15`
低危	Hardcoded absolute paths Python and JavaScript scripts use hardcoded paths to specific user directories (C:\Users\Administrator.rjazz-2022BWPUD\...). This limits portability but is appropriate for a personal utility. `const PYTHON_SCRIPT_PATH = 'C:\\...'` → Consider using relative paths or environment variables for better portability	`scripts/index.js:4`
提示	Unpinned dependency The skill uses openpyxl without version pinning, which could lead to unexpected behavior if the library is updated. `import openpyxl` → Pin openpyxl version (e.g., openpyxl>=3.0.0,<4.0.0)	`scripts/record.py:5`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	openpyxl load_workbook/save to desktop path
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/index.js:15 exec() with python command
网络访问	`NONE`	`NONE`	—	No network requests found
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

10 文件 · 16.7 KB · 569 行

Python 3f · 332L JavaScript 3f · 175L Markdown 2f · 60L JSON 2f · 2L

├─ ▾ 📁 scripts

│ ├─ 📜 add_purchase.js JavaScript 74L · 2.4 KB

│ ├─ 🐍 add_purchase.py Python 125L · 3.4 KB

│ ├─ 📜 index.js JavaScript 77L · 2.8 KB

│ ├─ 🐍 main.py Python 73L · 1.8 KB

│ ├─ 🐍 record.py Python 134L · 4.0 KB

│ └─ 📜 test.js JavaScript 24L · 651 B

├─ 🔑 config.json ⚠ JSON 1L · 143 B

├─ 📋 package.json JSON 1L · 143 B

├─ 📝 README.md Markdown 36L · 814 B

└─ 📝 SKILL.md Markdown 24L · 672 B

包名	版本	来源	已知漏洞	备注
`openpyxl`	`unspecified`	pip	否	Version not pinned in requirements.txt
`exceljs`	`unspecified`	npm	否	Version not pinned in package.json

✓ No network requests or data exfiltration detected

✓ No credential harvesting or sensitive path access

✓ No base64-encoded payloads or obfuscated code

✓ No curl|bash or remote script execution

✓ Input sanitization present (quote escaping in exec())

✓ Legitimate use case: local Excel file manipulation only