中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
bw-invoice-verification-service
Invoice verification service for querying quota, verifying invoice text/images, and managing recharge orders
The skill is a legitimate invoice verification service with no malicious behavior. All functionality is declared and necessary for the service.
Skill Namebw-invoice-verification-service
Duration26.6s
Enginepi
Safe to install
No action needed. The skill operates as declared with proper scope.
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares node script execution; code reads config files in ~/.openclaw/…
Network READ READ ✓ Aligned SKILL.md declares fixed API URLs; code only calls declared endpoints
Shell WRITE WRITE ✓ Aligned SKILL.md declares node script execution via Bash tool
Environment NONE NONE No environment variable access beyond optional config overrides (OPENCLAW_DEVICE…
3 findings
🔗
Medium External URL 外部 URL
https://test.51yzt.cn/assetInnovate
README.md:11
🔗
Medium External URL 外部 URL
http://192.168.154.76:18888
README.md:49
🔗
Medium External URL 外部 URL
http://asset-check-innovate-service-http.default.yf-bw-test-2.test.51baiwang.com
SKILL.md:7

File Tree

4 files · 61.7 KB · 1939 lines
JavaScript 1f · 1709L Markdown 2f · 223L YAML 1f · 7L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 7L · 965 B
├─ 📁 scripts
│ └─ 📜 invoice_service.js JavaScript 1709L · 49.9 KB
├─ 📝 README.md Markdown 112L · 7.3 KB
└─ 📝 SKILL.md Markdown 111L · 3.5 KB

Security Positives

✓ All external API calls go to declared URLs only (test.51yzt.cn, yf-bw-test-2.test.51baiwang.com)
✓ Device fingerprinting is limited to non-sensitive identifiers (platform, arch, hostname, username, MAC) for API authentication
✓ API keys are stored locally in config file only, not exfiltrated
✓ No remote code execution, no credential theft, no data exfiltration beyond invoice verification payloads
✓ Script uses native Node.js modules only (crypto, fs, os, path) - no external dependencies
✓ Config files stored in standard location (~/.openclaw/invoice-skill/) with masked keys in output
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files