productivity-bot 安全扫描报告 — 低风险 | ClawSafe

20 /100

productivity-bot

Automation bot for productivity tasks including data processing, scheduled notifications, and workflow optimization.

SKILL.md documents a productivity bot with vague feature descriptions but contains no executable code, scripts, or dependencies, making direct risk minimal though documentation is insufficient.

技能名称productivity-bot

分析耗时35.9s

引擎pi

✓

可以安装

Do not deploy this skill until actual implementation code (scripts, modules) is provided and reviewed. Request the full codebase and any dependency manifests before use.

安全发现 3 项

严重性	安全发现	位置
中危	No allowedTools declared in SKILL.md 文档欺骗 The SKILL.md frontmatter does not include an allowedTools declaration. Without this, the inference engine cannot map declared permissions, and no baseline for comparison exists. `No allowedTools field in frontmatter` → Add a proper allowedTools declaration to SKILL.md frontmatter specifying exactly which tools the skill may use (e.g., Read, Write, Bash, WebFetch).	`SKILL.md:1`
中危	Feature claims with no implementation 文档欺骗 SKILL.md describes features (CSV/Excel processing, scheduled tasks, email alerts, webhooks) but provides no code, scripts, or manifests. This makes it impossible to verify the stated functionality or detect hidden behavior. `Auto-process CSV/Excel files, Daily reminders, Email alerts, Custom webhooks` → Request the full implementation codebase. Do not approve or deploy based solely on documentation.	`SKILL.md:1`
低危	API keys mentioned without usage transparency 文档欺骗 SKILL.md lists 'Various API keys' under Requirements but provides no detail on which APIs are used, how credentials are stored, or whether they are exfiltrated. `Various API keys` → Specify which APIs are required and how credentials are handled. Avoid using hardcoded credentials.	`SKILL.md:43`

资源类型	声明权限	推断权限	状态
文件系统	`NONE`	`NONE`	—
网络访问	`NONE`	`NONE`	—
命令执行	`NONE`	`NONE`	—
环境变量	`NONE`	`NONE`	—
技能调用	`NONE`	`NONE`	—
剪贴板	`NONE`	`NONE`	—
浏览器	`NONE`	`NONE`	—
数据库	`NONE`	`NONE`	—

目录结构

1 文件 · 830 B · 43 行

Markdown 1f · 43L

└─ 📝 SKILL.md Markdown 43L · 830 B

安全亮点

✓ No executable code present — no direct malicious behavior possible from static analysis alone

✓ No suspicious IOCs (IOCs array empty)

✓ No external network indicators or base64-encoded content observed

✓ No credential harvesting or shell execution patterns detected