daily-summary 安全扫描报告 — 低风险 | ClawSafe

20 /100

daily-summary

每日工作总结自动生成。根据聊天记录和浏览器历史生成一句话工作总结，定时发送飞书。

Skill performs legitimate daily summary generation with declared browser history access; minor doc deception about Feishu sending but no actual exfiltration or malicious behavior.

技能名称daily-summary

分析耗时27.7s

引擎pi

✓

可以安装

Consider adding Feishu sending implementation if advertised, or update SKILL.md to match actual functionality.

安全发现 2 项

严重性	安全发现	位置
低危	Incomplete feature documentation 文档欺骗 SKILL.md states '定时发送飞书' (scheduled Feishu sending) but scripts/generate.py only generates a summary and appends to memory file. No actual Feishu API integration is present. `每天定时发送飞书` → Either implement Feishu sending or update SKILL.md to remove this claim	`SKILL.md:10`
低危	Browser history database access 敏感访问 Script reads Chrome/Edge History sqlite database, exposing visited URLs and page titles. Behavior is declared in SKILL.md but the scope is broad (all sites within 1 day). `shutil.copy2(history_path, temp_path)` → Data stays local; no exfiltration observed. Consider filtering out sensitive URLs if any.	`scripts/generate.py:28`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ+WRITE`	✓ 一致	main(): writes to ~/.openclaw/workspace/memory/{date}.md
网络访问	`READ`	`READ`	✓ 一致	read_browser_history(): accesses local History sqlite DB
命令执行	`NONE`	`NONE`	—	No subprocess execution found
技能调用	`NONE`	`NONE`	—	No cross-skill invocations

目录结构

2 文件 · 5.2 KB · 197 行

Python 1f · 138L Markdown 1f · 59L

├─ ▾ 📁 scripts

│ └─ 🐍 generate.py Python 138L · 4.0 KB

└─ 📝 SKILL.md Markdown 59L · 1.3 KB

安全亮点

✓ No subprocess or shell execution

✓ No credential harvesting or environment variable enumeration

✓ No base64 encoding or obfuscation

✓ No network requests to external IPs

✓ No suspicious file operations beyond declared memory access

✓ Clean Python implementation with proper error handling

✓ Browser history access properly scoped and declared