desktop-automation-pro 安全扫描报告 — 低风险 | ClawSafe

12 /100

desktop-automation-pro

Desktop GUI automation toolkit for browser, mobile devices, and native applications

Legitimate desktop GUI automation toolkit using pyautogui and pywinauto with no malicious behavior, network calls, or credential access detected.

技能名称desktop-automation-pro

分析耗时35.4s

引擎pi

✓

可以安装

Approve for use. Consider pinning dependency versions in a requirements.txt for supply-chain hygiene.

安全发现 2 项

严重性	安全发现	位置
低危	Dependencies not pinned 供应链 No requirements.txt or package.json exists. SKILL.md installation instructions use unpinned pip install commands (pyautogui, pywinauto, pillow), allowing any version to be pulled. `pip install pyautogui pywinauto pillow` → Add a requirements.txt with pinned versions (e.g., pyautogui==0.9.54) to ensure reproducible and secure builds.	`SKILL.md:113`
低危	Shell execution not explicitly declared 文档欺骗 SKILL.md states 'Python scripts via exec' for native app automation but does not explicitly declare shell:WRITE in the capability model. The exec tool maps to shell:WRITE which is a significant capability. `Native App Automation / 原生应用自动化: For Windows native applications, use Python scripts via exec` → Explicitly declare shell:WRITE in SKILL.md capability table and document the scope of allowed script execution.	`SKILL.md:54`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	SKILL.md screenshot writes to output file; pyautogui_demo.py:89 screenshot.save(…
命令执行	`NONE`	`WRITE`	✓ 一致	SKILL.md mentions 'Python scripts via exec' for native app automation but does n…
网络访问	`NONE`	`NONE`	—	Neither script makes any network requests
浏览器	`READ`	`READ`	✓ 一致	SKILL.md declares browser tool usage for Chromium automation
剪贴板	`NONE`	`NONE`	—	No clipboard access in scripts

3 文件 · 15.8 KB · 546 行

Python 2f · 299L Markdown 1f · 247L

├─ ▾ 📁 scripts

│ ├─ 🐍 pyautogui_demo.py Python 142L · 4.5 KB

│ └─ 🐍 pywinauto_demo.py Python 157L · 4.4 KB

└─ 📝 SKILL.md Markdown 247L · 6.9 KB

包名	版本	来源	已知漏洞	备注
`pyautogui`	`unpinned`	pip	否	No version specified in SKILL.md install instructions
`pywinauto`	`unpinned`	pip	否	No version specified in SKILL.md install instructions
`pillow`	`unpinned`	pip	否	No version specified in SKILL.md install instructions

✓ pyautogui_demo.py enables FAILSAFE protection (pyautogui.FAILSAFE = True), moving mouse to screen corner aborts operations

✓ Scripts are well-documented with docstrings and bilingual comments explaining each function

✓ No network requests, external IP connections, or data exfiltration detected in any script

✓ No credential harvesting, environment variable iteration for secrets, or sensitive file access

✓ No base64 encoding, eval(), or obfuscated code patterns present

✓ No curl|bash or wget|sh remote script execution

✓ Argparse-based CLI with input validation — no arbitrary command injection vectors

✓ No hidden HTML comments, embedded payloads, or steganographic elements