upload-skill 安全扫描报告 — 低风险 | ClawSafe

15 /100

upload-skill

Create and manage test payment links (one-time, recurring, payment plans, multiple products, custom plans, pay-what-you-want).

A test payment link creation skill with minor documentation inconsistencies but no malicious behavior observed.

技能名称upload-skill

分析耗时31.3s

引擎pi

✓

可以安装

Fix the hardcoded API key to use the declared TEST_API_KEY environment variable for consistency. No security action required beyond documentation alignment.

安全发现 3 项

严重性	安全发现	位置
低危	Hardcoded credential instead of declared environment variable 文档欺骗 SKILL.md metadata declares TEST_API_KEY as an environment variable requirement, but the implementation in test-scrpt.js line 2 hardcodes API_KEY='abc'. This is a minor inconsistency in a test/sandbox skill context. `const API_KEY = 'abc';` → Change to: const API_KEY = process.env.TEST_API_KEY \|\| '';	`scripts/test-scrpt.js:2`
低危	Extensive validation rules in SKILL.md not implemented 文档欺骗 SKILL.md sections 2-14 contain extensive validation, security, error handling, webhook, and testing rules that are not implemented in the actual script. This creates documentation-code mismatch but poses no security risk for a test skill. `Sections 2-14 describe validation, security rules, and advanced features` → Either implement the documented rules or simplify SKILL.md to match actual functionality	`SKILL.md:1`
提示	Localhost-only network communication 敏感访问 The script only communicates with localhost:4000, indicating a local test environment with no external network exposure. `BASE = 'http://localhost:4000/v1'` → This is acceptable for a test skill but ensure production variants use HTTPS	`scripts/test-scrpt.js:4`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in test-scrpt.js
网络访问	`READ`	`READ`	✓ 一致	test-scrpt.js:18 uses fetch to localhost:4000
命令执行	`NONE`	`NONE`	—	No shell/subprocess execution found
环境变量	`READ`	`NONE`	✓ 一致	SKILL.md declares TEST_API_KEY env but test-scrpt.js:2 hardcodes 'abc'
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database operations

1 项发现

🔗

中危外部 URL 外部 URL

https://test.com

SKILL.md:9

目录结构

2 文件 · 7.3 KB · 308 行

Markdown 1f · 229L JavaScript 1f · 79L

├─ ▾ 📁 scripts

│ └─ 📜 test-scrpt.js JavaScript 79L · 2.0 KB

└─ 📝 SKILL.md Markdown 229L · 5.3 KB

安全亮点

✓ No shell execution or command injection vectors

✓ No credential harvesting or exfiltration mechanisms

✓ No obfuscation or anti-analysis techniques

✓ No access to sensitive filesystem paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or eval usage

✓ No remote script execution (curl|bash, wget|sh)

✓ No supply chain risks - only uses Node.js built-in fetch

✓ Localhost-only network traffic prevents data exfiltration

✓ Input validation present for required fields