telegram-contract-ops 安全扫描报告 — 低风险 | ClawSafe

20 /100

telegram-contract-ops

Telegram-based internal contract generation and eID intake workflow for Vietnamese operations

This is a legitimate Vietnamese contract generation and eID OCR workflow with expected Telegram API integration and subprocess usage, though SKILL.md lacks formal allowed-tools declarations.

技能名称telegram-contract-ops

分析耗时35.0s

引擎pi

✓

可以安装

Add formal allowed-tools declaration to SKILL.md (filesystem:WRITE, network:READ, shell:WRITE, environment:READ) and document the execFileSync usage for docx generation.

安全发现 2 项

严重性	安全发现	位置
低危	SKILL.md lacks allowed-tools declaration The skill does not declare any allowed-tools permissions despite code using filesystem write, network read, shell execution, and environment variable access. `No allowed-tools section present` → Add an allowed-tools declaration section to align with the pi skill schema	`SKILL.md:1`
低危	Hardcoded workspace paths in Python script The Python script contains hardcoded paths under /Users/vtammm/.openclaw/workspace which may not exist in all environments. `WORKSPACE = Path('/Users/vtammm/.openclaw/workspace')` → Use environment variables or relative paths for cross-platform compatibility	`scripts/plan-b-docx-generate.py:19`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✓ 一致	scripts/telegram-planb-bot.js:36-37
网络访问	`NONE`	`READ`	✓ 一致	scripts/telegram-planb-bot.js:46-51
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/plan-b-telegram-to-docx.js:119
环境变量	`NONE`	`READ`	✓ 一致	scripts/telegram-planb-bot.js:7

4 项发现

🔗

中危外部 URL 外部 URL

http://schemas.openxmlformats.org/wordprocessingml/2006/main

scripts/plan-b-docx-generate.py:11

🔗

中危外部 URL 外部 URL

https://api.telegram.org/bot$

scripts/telegram-planb-bot.js:8

🔗

中危外部 URL 外部 URL

https://api.telegram.org/file/bot$

scripts/telegram-planb-bot.js:60

📧

提示邮箱邮箱地址

[email protected]

scripts/plan-b-docx-generate.py:46

目录结构

14 文件 · 51.3 KB · 1528 行

JavaScript 3f · 782L Markdown 8f · 446L Python 1f · 208L Swift 1f · 74L Text 1f · 18L

├─ ▾ 📁 assets

│ └─ 📄 plan-b-telegram-template.txt Text 18L · 175 B

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 33L · 922 B

│ ├─ 📝 clawhub.md Markdown 39L · 693 B

│ ├─ 📝 deployment.md Markdown 207L · 4.2 KB

│ ├─ 📝 input-template.md Markdown 24L · 300 B

│ ├─ 📝 macos.md Markdown 25L · 507 B

│ ├─ 📝 troubleshooting.md Markdown 30L · 1.0 KB

│ └─ 📝 windows.md Markdown 30L · 761 B

├─ ▾ 📁 scripts

│ ├─ 🐍 plan-b-docx-generate.py Python 208L · 10.2 KB

│ ├─ 📜 plan-b-telegram-to-docx.js JavaScript 172L · 6.0 KB

│ ├─ 📜 plan-c-eid-parse.js JavaScript 230L · 8.1 KB

│ ├─ 📄 plan-c-ocr.swift Swift 74L · 1.7 KB

│ └─ 📜 telegram-planb-bot.js JavaScript 380L · 14.5 KB

└─ 📝 SKILL.md Markdown 58L · 2.2 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`python3 (system)`	`n/a`	system	否	Standard library only, no pip dependencies

安全亮点

✓ No base64-encoded payloads or obfuscated code

✓ No credential harvesting or data exfiltration to external IPs

✓ No unauthorized access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell or C2 communications

✓ Legitimate Telegram API integration for bot functionality

✓ Subprocess calls (python3, swift, node) are necessary for the stated contract generation workflow

✓ State files and temporary artifacts are stored in workspace-specific directories

✓ No suspicious network patterns (direct IP connections, DNS over HTTPS for tunneling)