中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 48/100
Last scan:23 hr ago Rescan
48 /100
feynman-fsrs-pro
基于 FSRS 算法的费曼学习导师,通过 PostgreSQL 记忆库与 Obsidian 笔记联动
Hardcoded database credentials exposed in SKILL.md and source code create significant credential theft risk; doc-to-code table name mismatch indicates shadow functionality.
Skill Namefeynman-fsrs-pro
Duration54.1s
Enginepi
Use with caution
Remove all hardcoded credentials from SKILL.md and source files. Use environment variables for database connection parameters. Correct table name inconsistency between documentation and code.

Findings 5 items

Severity Finding Location
High
Database credentials exposed in SKILL.md Credential Theft
SKILL.md contains plaintext database credentials: username 'openclaw_feiman', password '12345678', host '127.0.0.1'. This is a critical security violation as documentation should never contain sensitive credentials.
用户名:openclaw_feiman
主机:127.0.0.1
密码:12345678
→ Remove all credentials from SKILL.md. Use environment variables or .env file for configuration.
 SKILL.md:17
High
Hardcoded credentials in feynman_core.js Credential Theft
feynman_core.js contains hardcoded database connection parameters with weak password '12345678'.
host: '127.0.0.1',
database: 'openclaw_feiman',
password: '12345678'
→ Use environment variables: process.env.DB_PASSWORD, process.env.DB_HOST, etc.
 scripts/feynman_core.js:15
High
Hardcoded credentials in database.js Credential Theft
database.js contains identical hardcoded database credentials as feynman_core.js.
user: 'openclaw_feiman',
host: '127.0.0.1',
password: '12345678'
→ Consolidate database config into a single module using environment variables.
 scripts/database.js:7
Medium
Table name mismatch between documentation and code Doc Mismatch
SKILL.md declares table name as 'feynman_memory', but feynman_core.js queries 'feynman_cards' while database.js queries 'feynman_memory'. schema.sql creates 'feynman_cards'. This inconsistency suggests shadow functionality or copy-paste errors.
SELECT concept_name FROM feynman_cards
→ Standardize table name across all files. Update SKILL.md to reflect actual table name used in code.
 scripts/feynman_core.js:55
Low
Hardcoded Obsidian path references specific user Sensitive Access
OBSIDIAN_BASE path points to 'C:\Users\alex\iCloudDrive\iCloud~md~obsidian\new-note', exposing a specific user's directory structure.
C:\\Users\\alex\\iCloudDrive\\iCloud~md~obsidian\\new-note
→ Use environment variable for Obsidian path configuration.
 scripts/database.js:8
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned Reads .md files from Obsidian directory
Database WRITE WRITE ✓ Aligned PostgreSQL connection with SELECT/INSERT/UPDATE queries
Network NONE READ ✓ Aligned Connects to local PostgreSQL at 127.0.0.1:5432 (documentation exposes '27.0.0.1'…
Shell NONE NONE No shell execution observed
1 High 15 findings
📡
High IP Address 硬编码 IP 地址
27.0.0.1
scripts/feynman_core.js:9
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pg/-/pg-8.20.0.tgz
scripts/package-lock.json:20
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pg-cloudflare/-/pg-cloudflare-1.3.0.tgz
scripts/package-lock.json:47
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pg-connection-string/-/pg-connection-string-2.12.0.tgz
scripts/package-lock.json:54
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pg-int8/-/pg-int8-1.0.1.tgz
scripts/package-lock.json:60
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pg-pool/-/pg-pool-3.13.0.tgz
scripts/package-lock.json:69
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pg-protocol/-/pg-protocol-1.13.0.tgz
scripts/package-lock.json:78
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pg-types/-/pg-types-2.2.0.tgz
scripts/package-lock.json:84
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pgpass/-/pgpass-1.0.5.tgz
scripts/package-lock.json:100
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/postgres-array/-/postgres-array-2.0.0.tgz
scripts/package-lock.json:109
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/postgres-bytea/-/postgres-bytea-1.0.1.tgz
scripts/package-lock.json:118
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/postgres-date/-/postgres-date-1.0.7.tgz
scripts/package-lock.json:127
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/postgres-interval/-/postgres-interval-1.2.0.tgz
scripts/package-lock.json:136
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/split2/-/split2-4.2.0.tgz
scripts/package-lock.json:148
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/xtend/-/xtend-4.0.2.tgz
scripts/package-lock.json:157

File Tree

14 files · 69.9 KB · 2214 lines
JavaScript 9f · 1231L Markdown 2f · 627L JSON 2f · 191L SQL 1f · 165L
├─ 📁 references
│ └─ 📝 README.md Markdown 312L · 8.1 KB
├─ 📁 scripts
│ ├─ 📜 check_db.js JavaScript 14L · 366 B
│ ├─ 📜 cli.js JavaScript 70L · 2.4 KB
│ ├─ 📜 database.js JavaScript 351L · 10.2 KB
│ ├─ 📜 feynman_core.js JavaScript 645L · 21.1 KB
│ ├─ 📜 get-note.js JavaScript 5L · 164 B
│ ├─ 📜 index.js JavaScript 28L · 635 B
│ ├─ 📋 package-lock.json JSON 165L · 5.7 KB
│ ├─ 📋 package.json JSON 26L · 487 B
│ ├─ 📜 review-helper.js JavaScript 25L · 795 B
│ ├─ 📜 review-start.js JavaScript 15L · 498 B
│ ├─ 📄 schema.sql SQL 165L · 6.4 KB
│ └─ 📜 update-progress.js JavaScript 78L · 2.9 KB
└─ 📝 SKILL.md Markdown 315L · 10.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
pg ^8.11.3 npm No PostgreSQL client library, version pinned

Security Positives

✓ No shell execution observed - skill uses direct database queries only
✓ No external network requests detected - only local PostgreSQL connection
✓ No obfuscation techniques (base64, eval) found in codebase
✓ No credential exfiltration - hardcoded credentials are only used locally
✓ No reverse shell or C2 infrastructure indicators
✓ No prompt injection payloads detected
✓ Dependencies are minimal (pg library only) with pinned versions