meeting-efficiency-pro 安全扫描报告 — 低风险 | ClawSafe

18 /100

meeting-efficiency-pro

AI-powered meeting optimization tool that analyzes calendar events, provides efficiency scores, extracts action items, and automates follow-ups

This is a legitimate productivity tool for meeting analysis with no malicious behavior. Shell execution (npm install) is confined to the setup command, API keys are used only for stated AI provider calls, and no credential exfiltration or sensitive path access was found.

技能名称meeting-efficiency-pro

分析耗时56.1s

引擎pi

✓

可以安装

This skill is safe to use. The only recommendation is to pin dependency versions in package.json to prevent supply chain risks from unversioned dependencies.

安全发现 4 项

严重性	安全发现	位置
低危	Unpinned npm dependencies All 8 dependencies in package.json use caret (^) version ranges, which permit any minor or patch update. This creates a supply chain risk where a compromised upstream package could be silently pulled. `"openai": "^4.0.0"` → Pin exact versions (e.g., "openai": "4.0.0") or use a lockfile (package-lock.json) and commit it	`package.json:30`
提示	Shell execution in setup command not documented The setup() function in index.js uses child_process.exec to run 'npm install' and version checks, but SKILL.md does not declare shell:WRITE in its capability mapping. This is a minor doc-to-code mismatch. `const { stdout } = await execPromise('node --version')` → Add shell:WRITE to SKILL.md capability declaration if this is intentional behavior	`index.js:73`
提示	External URL reference The skill references https://clawhub.com/skills/meeting-efficiency-pro in help text and index.js. No actual network request to this URL was found in the code path. `https://clawhub.com/skills/meeting-efficiency-pro` → No action needed - this is a documentation URL, not an active network call	`index.js:403`
提示	AI API key input without input sanitization documentation setup.js accepts AI API keys from interactive user input and writes them to config/default.json. The key is then used by analyzer.js for OpenAI/Grok API calls. No evidence of exfiltration was found. `config.ai_api_key = apiKey` → No action needed - key handling is standard; ensure config file permissions are restricted in production	`scripts/setup.js:46`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	index.js:83 writes config/default.json; SKILL.md only mentions reading config fi…
网络访问	`READ`	`READ`	✓ 一致	index.js:403 references https://clawhub.com (docs only); actual AI API calls wou…
命令执行	`NONE`	`WRITE`	✓ 一致	index.js:73-88 uses exec for 'npm --version' and 'npm install' within setup() co…
环境变量	`NONE`	`NONE`	—	No os.environ iteration found; config loaded from JSON file only

2 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/meeting-efficiency-pro

index.js:403

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:169

目录结构

11 文件 · 86.2 KB · 2805 行

JavaScript 6f · 2038L Markdown 3f · 678L JSON 2f · 89L

├─ ▾ 📁 config

│ └─ 📋 default.json JSON 35L · 810 B

├─ ▾ 📁 lib

│ ├─ 📜 analyzer.js JavaScript 514L · 15.9 KB

│ ├─ 📜 calendar.js JavaScript 257L · 7.2 KB

│ └─ 📜 reporter.js JavaScript 457L · 15.8 KB

├─ ▾ 📁 references

│ └─ 📝 api-docs.md Markdown 446L · 10.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 demo.js JavaScript 219L · 8.0 KB

│ └─ 📜 setup.js JavaScript 163L · 5.7 KB

├─ 📜 index.js JavaScript 428L · 14.5 KB

├─ 📋 package.json JSON 54L · 1.2 KB

├─ 📝 README.md Markdown 29L · 642 B

└─ 📝 SKILL.md Markdown 203L · 5.8 KB

依赖分析 8 项

包名	版本	来源	已知漏洞	备注
`openai`	`^4.0.0`	npm	否	Caret range - not pinned
`googleapis`	`^128.0.0`	npm	否	Caret range - not pinned
`node-schedule`	`^2.1.0`	npm	否	Caret range - not pinned
`ical`	`^0.8.0`	npm	否	Caret range - not pinned
`dotenv`	`^16.0.0`	npm	否	Caret range - not pinned
`axios`	`^1.0.0`	npm	否	Caret range - not pinned
`chalk`	`^4.1.0`	npm	否	Caret range - not pinned
`inquirer`	`^8.0.0`	npm	否	Caret range - not pinned

安全亮点

✓ No base64, eval, or obfuscated code found anywhere in the codebase

✓ No iteration over environment variables looking for credentials

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive filesystem paths

✓ No curl|bash or wget|sh remote script execution patterns

✓ No hidden HTML comments, steganography, or covert channels

✓ No data exfiltration - credentials stay in config file and are only sent to the declared AI provider

✓ No direct IP network connections to unknown endpoints

✓ No reverse shell, C2, or persistence mechanisms

✓ Shell execution is confined to the interactive setup command and limited to npm install

✓ AI API key handling follows standard practices (config file, environment variable override documented)