employee-reminder-ops Security Report — Low Risk | ClawSafe

20 /100

employee-reminder-ops

Google Sheets-driven employee reminder and special-event reporting workflow for internal operations

A legitimate employee reminder workflow that reads Google Sheets and sends reports to Discord, with only minor privacy leakage from hardcoded personal paths.

Skill Nameemployee-reminder-ops

Duration31.9s

Enginepi

✓

Safe to install

Consider replacing the hardcoded home directory path in run-plan-a.sh with $HOME or a relative path for better portability and reduced information disclosure.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded personal path in shell script run-plan-a.sh contains hardcoded path /Users/vtammm/.openclaw/workspace which exposes username and is non-portable `cd /Users/vtammm/.openclaw/workspace` → Use $HOME or relative path for better portability	`scripts/run-plan-a.sh:4`
Low	Hardcoded default values for sensitive identifiers Spreadsheet ID, Discord channel ID, and Google account are hardcoded as defaults in plan-a-demo.js CONFIG object `spreadsheetId: process.env.PLAN_A_SHEET_ID \|\| '17JU1m6rBOhlD7vqSTrMOSPcEQehO04HnYg7oMeDXnn8'` → While documented in references/PLAN_A_DEMO_USAGE.md as test defaults, production deployments should not rely on these hardcoded values	`scripts/plan-a-demo.js:7`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md line 1: 'Read employee and special-event data from Google Sheets'; plan…
Network	`READ`	`WRITE`	✓ Aligned	SKILL.md: 'Route reminder reports into Telegram or Discord'; plan-a-demo.js:242:…
Shell	`NONE`	`WRITE`	✓ Aligned	Uses execFileSync for gog CLI only, declared in references/deployment.md as requ…

3 findings

🔗

Medium External URL 外部 URL

https://discord.com/api/v10/channels/$

scripts/plan-a-demo.js:242

📧

Info Email 邮箱地址

[email protected]

references/PLAN_A_DEMO_USAGE.md:43

📧

Info Email 邮箱地址

[email protected]

references/deployment.md:48

File Tree

12 files · 32.9 KB · 1220 lines

Markdown 10f · 896L JavaScript 1f · 317L Shell 1f · 7L

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 27L · 691 B

│ ├─ 📝 clawhub.md Markdown 33L · 568 B

│ ├─ 📝 deployment.md Markdown 79L · 1.7 KB

│ ├─ 📝 google-sheet-schema.md Markdown 32L · 601 B

│ ├─ 📝 macos.md Markdown 17L · 376 B

│ ├─ 📝 PLAN_A_DEMO_USAGE.md Markdown 116L · 2.9 KB

│ ├─ 📝 PLAN_A_TEST.md Markdown 470L · 10.8 KB

│ ├─ 📝 troubleshooting.md Markdown 21L · 676 B

│ └─ 📝 windows.md Markdown 21L · 531 B

├─ ▾ 📁 scripts

│ ├─ 📜 plan-a-demo.js JavaScript 317L · 11.6 KB

│ └─ 🔧 run-plan-a.sh Shell 7L · 144 B

└─ 📝 SKILL.md Markdown 80L · 2.4 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`gog`	`N/A (external CLI)`	system dependency	No	Google Sheets CLI tool, not a package dependency
`node-fetch`	`N/A (built-in)`	Node.js built-in	No	Uses global fetch API available in Node 18+

Security Positives

✓ No credential theft or exfiltration detected

✓ No reverse shell or C2 communication patterns

✓ No base64-encoded payloads or obfuscated code

✓ Discord token is read from environment variable only, never hardcoded

✓ State file used for idempotency prevents duplicate sends

✓ Error handling includes state persistence for debugging

✓ Sensitive paths (~/.ssh, ~/.aws, .env) are not accessed

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives