word-jumble 安全扫描报告 — 低风险 | ClawSafe

18 /100

word-jumble

Generate a Word Jumble puzzle with scrambled words, circled letters forming an idiom, cartoon hint, and printable screenshot

This is a legitimate Word Jumble puzzle generator with minor documentation gaps but no malicious behavior detected.

技能名称word-jumble

分析耗时27.3s

引擎pi

✓

可以安装

Add explicit declarations for filesystem:WRITE and network:READ in SKILL.md to fully document the skill's actual behavior. The answer key in the HTML template is intended for puzzle creators and poses minimal risk in context.

安全发现 3 项

严重性	安全发现	位置
低危	Undeclared filesystem write access SKILL.md declares NONE for filesystem but the code creates output/ directories and writes JSON, HTML, and image files. output goes into an `output/` directory (create if needed) → Declare filesystem:WRITE in SKILL.md header capabilities	`SKILL.md:1`
低危	Hidden answer key in HTML puzzle-template.html embeds the answer in tiny upside-down text at bottom-right. While intended for puzzle creators to verify printouts, this is not documented and could confuse solvers who inspect the HTML. `answerKey.textContent = 'Answer: ' + puzzle.final_puzzle.solution.join('')` → Document this design decision or consider if it's necessary for the intended use case	`assets/puzzle-template.html:147`
提示	Network access not declared render_puzzle.py starts a local HTTP server on port 7891 but SKILL.md does not declare network access. `server = http.server.HTTPServer(('', port), handler)` → Add network:READ to declared capabilities as this skill serves HTML locally	`scripts/render_puzzle.py:79`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	SKILL.md declares NONE but code creates output/ directory and writes files
网络访问	`NONE`	`READ`	✗ 越权	render_puzzle.py:79 starts local HTTP server
命令执行	`NONE`	`NONE`	—	No subprocess execution found
浏览器	`READ`	`READ`	✓ 一致	SKILL.md mentions browser tool for screenshots

目录结构

4 文件 · 14.4 KB · 507 行

HTML 1f · 236L Python 2f · 170L Markdown 1f · 101L

├─ ▾ 📁 assets

│ └─ 📄 puzzle-template.html HTML 236L · 5.2 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 render_puzzle.py Python 101L · 3.2 KB

│ └─ 🐍 validate_puzzle.py Python 69L · 2.0 KB

└─ 📝 SKILL.md Markdown 101L · 4.1 KB

安全亮点

✓ No external network connections or data exfiltration detected

✓ No credential harvesting or environment variable scanning

✓ No base64 encoding, eval(), or obfuscated code patterns

✓ No curl|bash or wget|sh remote script execution

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Pure puzzle generation logic with no side effects

✓ Input validation script prevents malformed puzzles