中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:2 天前 重新扫描
20 /100
employee-reminder-ops
Google Sheets-driven employee reminder and special-event reporting workflow for internal operations
A legitimate employee reminder workflow that reads Google Sheets and sends reports to Discord, with only minor privacy leakage from hardcoded personal paths.
技能名称employee-reminder-ops
分析耗时31.9s
引擎pi
可以安装
Consider replacing the hardcoded home directory path in run-plan-a.sh with $HOME or a relative path for better portability and reduced information disclosure.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded personal path in shell script
run-plan-a.sh contains hardcoded path /Users/vtammm/.openclaw/workspace which exposes username and is non-portable
cd /Users/vtammm/.openclaw/workspace
→ Use $HOME or relative path for better portability
 scripts/run-plan-a.sh:4
低危
Hardcoded default values for sensitive identifiers
Spreadsheet ID, Discord channel ID, and Google account are hardcoded as defaults in plan-a-demo.js CONFIG object
spreadsheetId: process.env.PLAN_A_SHEET_ID || '17JU1m6rBOhlD7vqSTrMOSPcEQehO04HnYg7oMeDXnn8'
→ While documented in references/PLAN_A_DEMO_USAGE.md as test defaults, production deployments should not rely on these hardcoded values
 scripts/plan-a-demo.js:7
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md line 1: 'Read employee and special-event data from Google Sheets'; plan…
网络访问 READ WRITE ✓ 一致 SKILL.md: 'Route reminder reports into Telegram or Discord'; plan-a-demo.js:242:…
命令执行 NONE WRITE ✓ 一致 Uses execFileSync for gog CLI only, declared in references/deployment.md as requ…
3 项发现
🔗
中危 外部 URL 外部 URL
https://discord.com/api/v10/channels/$
scripts/plan-a-demo.js:242
📧
提示 邮箱 邮箱地址
[email protected]
references/PLAN_A_DEMO_USAGE.md:43
📧
提示 邮箱 邮箱地址
[email protected]
references/deployment.md:48

目录结构

12 文件 · 32.9 KB · 1220 行
Markdown 10f · 896L JavaScript 1f · 317L Shell 1f · 7L
├─ 📁 references
│ ├─ 📝 architecture.md Markdown 27L · 691 B
│ ├─ 📝 clawhub.md Markdown 33L · 568 B
│ ├─ 📝 deployment.md Markdown 79L · 1.7 KB
│ ├─ 📝 google-sheet-schema.md Markdown 32L · 601 B
│ ├─ 📝 macos.md Markdown 17L · 376 B
│ ├─ 📝 PLAN_A_DEMO_USAGE.md Markdown 116L · 2.9 KB
│ ├─ 📝 PLAN_A_TEST.md Markdown 470L · 10.8 KB
│ ├─ 📝 troubleshooting.md Markdown 21L · 676 B
│ └─ 📝 windows.md Markdown 21L · 531 B
├─ 📁 scripts
│ ├─ 📜 plan-a-demo.js JavaScript 317L · 11.6 KB
│ └─ 🔧 run-plan-a.sh Shell 7L · 144 B
└─ 📝 SKILL.md Markdown 80L · 2.4 KB

依赖分析 2 项

包名版本来源已知漏洞备注
gog N/A (external CLI) system dependency Google Sheets CLI tool, not a package dependency
node-fetch N/A (built-in) Node.js built-in Uses global fetch API available in Node 18+

安全亮点

✓ No credential theft or exfiltration detected
✓ No reverse shell or C2 communication patterns
✓ No base64-encoded payloads or obfuscated code
✓ Discord token is read from environment variable only, never hardcoded
✓ State file used for idempotency prevents duplicate sends
✓ Error handling includes state persistence for debugging
✓ Sensitive paths (~/.ssh, ~/.aws, .env) are not accessed