中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Trusted — Risk Score 5/100
Last scan:2 hr ago Rescan
5 /100
action-gate-bridge
Route risky communications next steps through a typed action-intent bridge for policy and approval handling
Action Gate Bridge 是一个设计良好的安全审批工作流,强制危险操作需人工批准,无实际恶意行为
Skill Nameaction-gate-bridge
Duration41.7s
Enginepi
ClawHub Action Gate Bridge v0.0.1 by heyalerio
ClawHub Verdict Suspicious env_credential_accessllm_suspicious
Safe to install
可安全使用,建议保持环境变量验证机制确保 sidecar 端点可信

Findings 2 items

Severity Finding Location
Low
HTTP方法硬编码与文档描述不符 Doc Mismatch
SKILL.md 描述脚本可路由写入意图,但 route-http-write.js 硬编码为 POST 方法,不支持其他 HTTP 方法
method: "POST"
→ 更新文档明确说明仅支持 POST,或扩展脚本支持 method 参数
 scripts/route-http-write.js:33
Info
未使用参数 credentialsRef Doc Mismatch
route-http-write.js 接收 credentialsRef 参数但未实际使用,只是透传给 sidecar
credentialsRef = ""
→ 文档应说明凭证通过 sidecar 引用机制处理,而非脚本直接处理
 scripts/route-http-write.js:21
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned scripts/propose-action.js:25 - 仅向本地 sidecar 发送提案
Network READ READ ✓ Aligned scripts/route-http-write.js:29 - 仅向本地代理发送请求
Shell NONE WRITE ✓ Aligned SKILL.md未声明node脚本执行,但这是必要的运行时能力

File Tree

5 files · 4.3 KB · 163 lines
Markdown 3f · 89L JavaScript 2f · 74L
├─ 📁 references
│ ├─ 📝 action-bridge.md Markdown 28L · 820 B
│ └─ 📝 approval-matrix.md Markdown 29L · 407 B
├─ 📁 scripts
│ ├─ 📜 propose-action.js JavaScript 31L · 854 B
│ └─ 📜 route-http-write.js JavaScript 43L · 952 B
└─ 📝 SKILL.md Markdown 32L · 1.3 KB

Security Positives

✓ 设计理念优秀:强制危险操作需人工审批,不默认执行
✓ 使用本地 sidecar 架构隔离敏感操作
✓ 红黄绿审批矩阵清晰,易于用户理解
✓ 代码简洁,无复杂混淆或隐藏逻辑
✓ 无凭证收割、远程执行或数据外泄行为
✓ 环境变量命名规范,带有安全前缀标识