interactive-architecture-diagram Security Report — Low Risk | ClawSafe

15 /100

interactive-architecture-diagram

AI automation drawing and complex information visualization tool based on ContextWeave

This is a legitimate diagram generation client that sends user requests to an external API. While there are minor concerns about a hardcoded API key and an undeclared API host, the core functionality is straightforward and documented.

Skill Nameinteractive-architecture-diagram

Duration33.9s

Enginepi

✓

Safe to install

Consider replacing the hardcoded API key with a proper error message and documenting the bpjwmsdb.com endpoint. Otherwise safe to use for its stated purpose.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded default API key in source Credential Theft A default API key '94a05d02-9ade-4d9d-9f39-88734d9e34b4' is hardcoded as fallback in cw_client.cjs line 21. While this may be an anonymous/placeholder key, hardcoding credentials in source code is a bad practice. `return key \|\| "94a05d02-9ade-4d9d-9f39-88734d9e34b4";` → Remove the hardcoded key and throw an error if no API key is configured, forcing users to set the environment variable explicitly.	`scripts/cw_client.cjs:21`
Low	Undeclared API host in allowlist Doc Mismatch The host allowlist in cw_client.cjs includes 'bpjwmsdb.com' which is not mentioned in SKILL.md's security boundary section (only 'pptx.chenxitech.site' is declared). This creates a documentation mismatch. `const allowlist = ["api.contextweave.site", "contextweave.site", "pptx.chenxitech.site", "bpjwmsdb.com"];` → Document all allowed API hosts in SKILL.md's security section for transparency.	`scripts/cw_client.cjs:45`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	Reads input_file parameter path
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes .cw files and request files to cwd
Network	`READ`	`WRITE`	✓ Aligned	POSTs data to API, declared as '后端地址' without explicit READ/WRITE distinction
Shell	`WRITE`	`WRITE`	✓ Aligned	Executes 'node scripts/*.cjs' via Bash
Environment	`READ`	`READ`	✓ Aligned	Reads CONTEXTWEAVE_MCP_API_KEY and CONTEXTWEAVE_EDITOR_PROTOCOL

2 findings

🔗

Medium External URL 外部 URL

https://pptx.chenxitech.site

SKILL.md:189

🔗

Medium External URL 外部 URL

https://api.contextweave.site

cwmcp_config.example.json:2

File Tree

9 files · 31.3 KB · 855 lines

JavaScript 6f · 648L Markdown 1f · 192L JSON 2f · 15L

├─ ▾ 📁 scripts

│ ├─ 📜 cw_client.cjs JavaScript 283L · 9.5 KB

│ ├─ 📜 edit_contextweave.cjs JavaScript 86L · 2.4 KB

│ ├─ 📜 export_contextweave_code.cjs JavaScript 47L · 1.1 KB

│ ├─ 📜 export_session_asset.cjs JavaScript 74L · 1.9 KB

│ ├─ 📜 generate_contextweave.cjs JavaScript 108L · 2.9 KB

│ └─ 📜 import_contextweave_code.cjs JavaScript 50L · 1.3 KB

├─ 📋 _meta.json JSON 11L · 217 B

├─ 📋 cwmcp_config.example.json JSON 4L · 82 B

└─ 📝 SKILL.md Markdown 192L · 11.8 KB

Security Positives

✓ Path traversal protection via validateSafePath() rejects paths outside cwd

✓ Host allowlist restricts API endpoints to known domains

✓ No credential scanning or harvesting from sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation techniques (base64, eval) observed

✓ No suspicious network behavior like direct IP connections

✓ No persistence mechanisms (cron, startup hooks) installed

✓ Input files validated for existence before reading

Scan Report

Findings 2 items

File Tree

Security Positives