扫描报告
5 /100
bw-invoice-verification-service
Invoice verification service for querying quota, verifying invoice text/images, and managing recharge orders
The skill is a legitimate invoice verification service with no malicious behavior. All functionality is declared and necessary for the service.
可以安装
No action needed. The skill operates as declared with proper scope.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | SKILL.md declares node script execution; code reads config files in ~/.openclaw/… |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md declares fixed API URLs; code only calls declared endpoints |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md declares node script execution via Bash tool |
| 环境变量 | NONE | NONE | — | No environment variable access beyond optional config overrides (OPENCLAW_DEVICE… |
3 项发现
中危 外部 URL 外部 URL
https://test.51yzt.cn/assetInnovate README.md:11 中危 外部 URL 外部 URL
http://192.168.154.76:18888 README.md:49 中危 外部 URL 外部 URL
http://asset-check-innovate-service-http.default.yf-bw-test-2.test.51baiwang.com SKILL.md:7 目录结构
4 文件 · 61.7 KB · 1939 行 JavaScript 1f · 1709L
Markdown 2f · 223L
YAML 1f · 7L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
scripts
│ └─
invoice_service.js
JavaScript
├─
README.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ All external API calls go to declared URLs only (test.51yzt.cn, yf-bw-test-2.test.51baiwang.com)
✓ Device fingerprinting is limited to non-sensitive identifiers (platform, arch, hostname, username, MAC) for API authentication
✓ API keys are stored locally in config file only, not exfiltrated
✓ No remote code execution, no credential theft, no data exfiltration beyond invoice verification payloads
✓ Script uses native Node.js modules only (crypto, fs, os, path) - no external dependencies
✓ Config files stored in standard location (~/.openclaw/invoice-skill/) with masked keys in output
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files