page-doc-generator 安全扫描报告 — 低风险 | ClawSafe

15 /100

page-doc-generator

Generate Word documentation from mini-program/uni-app project screenshots and source code

Documentation generation skill with minor doc-to-code mismatch on shell execution, but no malicious behavior detected.

技能名称page-doc-generator

分析耗时19.4s

引擎pi

✓

可以安装

Update SKILL.md to explicitly declare subprocess usage for pandoc invocation.

安全发现 1 项

严重性	安全发现	位置
低危	Shell execution not declared in SKILL.md 文档欺骗 SKILL.md describes pandoc usage but does not explicitly state that the script invokes subprocess to run pandoc as an external command. `result = subprocess.run([pandoc, str(md_path), "-o", str(output_path), "--resource-path", str(md_path.parent)], capture_output=True, text=True, timeout=60)` → Add 'Uses subprocess to invoke pandoc for DOCX conversion' to the capability declaration in SKILL.md	`scripts/convert_to_docx.py:57`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ,WRITE`	`READ,WRITE`	✓ 一致	Reads Vue files and images, writes markdown/docx output
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/convert_to_docx.py:57 - subprocess.run for pandoc

1 项发现

🔗

中危外部 URL 外部 URL

https://pandoc.org/

scripts/convert_to_docx.py:58

3 文件 · 16.7 KB · 555 行

Python 2f · 443L Markdown 1f · 112L

├─ ▾ 📁 scripts

│ ├─ 🐍 convert_to_docx.py Python 116L · 3.0 KB

│ └─ 🐍 generate_page_doc.py Python 327L · 10.9 KB

└─ 📝 SKILL.md Markdown 112L · 2.8 KB

✓ No credential access or harvesting

✓ No network data exfiltration

✓ No obfuscated or base64-encoded code

✓ No sensitive file path access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No malicious dependencies or supply chain risks

✓ Code is clean, readable, and performs only stated documentation generation