interactive-architecture-diagram 安全扫描报告 — 低风险 | ClawSafe

15 /100

interactive-architecture-diagram

AI automation drawing and complex information visualization tool based on ContextWeave

This is a legitimate diagram generation client that sends user requests to an external API. While there are minor concerns about a hardcoded API key and an undeclared API host, the core functionality is straightforward and documented.

技能名称interactive-architecture-diagram

分析耗时33.9s

引擎pi

✓

可以安装

Consider replacing the hardcoded API key with a proper error message and documenting the bpjwmsdb.com endpoint. Otherwise safe to use for its stated purpose.

安全发现 2 项

严重性	安全发现	位置
低危	Hardcoded default API key in source 凭证窃取 A default API key '94a05d02-9ade-4d9d-9f39-88734d9e34b4' is hardcoded as fallback in cw_client.cjs line 21. While this may be an anonymous/placeholder key, hardcoding credentials in source code is a bad practice. `return key \|\| "94a05d02-9ade-4d9d-9f39-88734d9e34b4";` → Remove the hardcoded key and throw an error if no API key is configured, forcing users to set the environment variable explicitly.	`scripts/cw_client.cjs:21`
低危	Undeclared API host in allowlist 文档欺骗 The host allowlist in cw_client.cjs includes 'bpjwmsdb.com' which is not mentioned in SKILL.md's security boundary section (only 'pptx.chenxitech.site' is declared). This creates a documentation mismatch. `const allowlist = ["api.contextweave.site", "contextweave.site", "pptx.chenxitech.site", "bpjwmsdb.com"];` → Document all allowed API hosts in SKILL.md's security section for transparency.	`scripts/cw_client.cjs:45`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Reads input_file parameter path
文件系统	`WRITE`	`WRITE`	✓ 一致	Writes .cw files and request files to cwd
网络访问	`READ`	`WRITE`	✓ 一致	POSTs data to API, declared as '后端地址' without explicit READ/WRITE distinction
命令执行	`WRITE`	`WRITE`	✓ 一致	Executes 'node scripts/*.cjs' via Bash
环境变量	`READ`	`READ`	✓ 一致	Reads CONTEXTWEAVE_MCP_API_KEY and CONTEXTWEAVE_EDITOR_PROTOCOL

2 项发现

🔗

中危外部 URL 外部 URL

https://pptx.chenxitech.site

SKILL.md:189

🔗

中危外部 URL 外部 URL

https://api.contextweave.site

cwmcp_config.example.json:2

目录结构

9 文件 · 31.3 KB · 855 行

JavaScript 6f · 648L Markdown 1f · 192L JSON 2f · 15L

├─ ▾ 📁 scripts

│ ├─ 📜 cw_client.cjs JavaScript 283L · 9.5 KB

│ ├─ 📜 edit_contextweave.cjs JavaScript 86L · 2.4 KB

│ ├─ 📜 export_contextweave_code.cjs JavaScript 47L · 1.1 KB

│ ├─ 📜 export_session_asset.cjs JavaScript 74L · 1.9 KB

│ ├─ 📜 generate_contextweave.cjs JavaScript 108L · 2.9 KB

│ └─ 📜 import_contextweave_code.cjs JavaScript 50L · 1.3 KB

├─ 📋 _meta.json JSON 11L · 217 B

├─ 📋 cwmcp_config.example.json JSON 4L · 82 B

└─ 📝 SKILL.md Markdown 192L · 11.8 KB

安全亮点

✓ Path traversal protection via validateSafePath() rejects paths outside cwd

✓ Host allowlist restricts API endpoints to known domains

✓ No credential scanning or harvesting from sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation techniques (base64, eval) observed

✓ No suspicious network behavior like direct IP connections

✓ No persistence mechanisms (cron, startup hooks) installed

✓ Input files validated for existence before reading