slide-editor 安全扫描报告 — 低风险 | ClawSafe

20 /100

slide-editor

Visual editor for HTML presentations - self-contained, offline-capable, designed for AI agent control

A legitimate HTML presentation editor with documented Bun installation instructions and benign shell usage for browser opening only.

技能名称slide-editor

分析耗时44.5s

引擎pi

✓

可以安装

Approve for use. The execSync shell commands in inject.ts are used solely for opening URLs in the browser (open/xdg-open/start) and are not declared in SKILL.md. Consider adding shell:WRITE to declared permissions for transparency.

安全发现 2 项

严重性	安全发现	位置
低危	Undeclared shell execution 文档欺骗 inject.ts uses execSync from child_process to open URLs in browser (open/xdg-open/start) but this is not declared in SKILL.md permissions. execSync(`open "${fileUrl}"`, { stdio: 'ignore' }); → Add shell:WRITE to declared permissions in SKILL.md for transparency.	`inject.ts:179`
提示	Bun runtime installation documented 供应链 SKILL.md documents curl\|bash installation from bun.sh - a legitimate JavaScript runtime. This is flagged as IOC but is standard practice for Bun installation. `curl -fsSL https://bun.sh/install \| bash` → No action needed - this is documented user prerequisite, not hidden behavior.	`SKILL.md:23`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ,WRITE`	`READ,WRITE`	✓ 一致	inject.ts:5-6 reads/writes HTML files
命令执行	`NONE`	`WRITE`	✓ 一致	inject.ts:179-187 execSync for browser URL opening
网络访问	`NONE`	`NONE`	—	No network requests found
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`NONE`	—	No skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`READ`	✓ 一致	Editor runs in browser, accesses DOM
数据库	`NONE`	`NONE`	—	No database access

1 严重 2 项发现

💀

严重危险命令危险 Shell 命令

curl -fsSL https://bun.sh/install | bash

SKILL.md:23

🔗

中危外部 URL 外部 URL

https://bun.sh/install

SKILL.md:23

目录结构

27 文件 · 479.7 KB · 8614 行

HTML 5f · 4020L TypeScript 18f · 4003L Markdown 2f · 523L JSON 2f · 68L

├─ ▾ 📁 src

│ ├─ ▾ 📁 components

│ │ ├─ 📜 index.ts TypeScript 3L · 141 B

│ │ ├─ 📜 PropertiesPanel.ts TypeScript 312L · 12.2 KB

│ │ ├─ 📜 SlideNavigator.ts TypeScript 208L · 6.8 KB

│ │ └─ 📜 Toolbar.ts TypeScript 198L · 7.4 KB

│ ├─ ▾ 📁 core

│ │ ├─ 📜 DragManager.ts TypeScript 99L · 2.8 KB

│ │ ├─ 📜 HistoryManager.ts TypeScript 53L · 1.3 KB

│ │ ├─ 📜 index.ts TypeScript 5L · 243 B

│ │ ├─ 📜 ResizeManager.ts TypeScript 250L · 7.6 KB

│ │ ├─ 📜 SelectionManager.ts TypeScript 121L · 3.5 KB

│ │ └─ 📜 TextEditor.ts TypeScript 111L · 3.0 KB

│ ├─ ▾ 📁 i18n

│ │ └─ 📜 index.ts TypeScript 1L · 78 B

│ ├─ ▾ 📁 serialization

│ │ ├─ 📜 Exporter.ts TypeScript 579L · 18.0 KB

│ │ └─ 📜 index.ts TypeScript 1L · 53 B

│ ├─ 📜 i18n.ts TypeScript 133L · 4.1 KB

│ ├─ 📜 index.ts TypeScript 1162L · 36.1 KB

│ ├─ 📜 styles.ts TypeScript 451L · 9.2 KB

│ └─ 📜 types.ts TypeScript 123L · 2.8 KB

├─ ▾ 📁 test

│ ├─ 📄 clean-test.html HTML 819L · 70.7 KB

│ ├─ 📄 debug.html HTML 829L · 70.8 KB

│ ├─ 📄 presentation-clean.html HTML 774L · 65.0 KB

│ ├─ 📄 presentation-debug.html HTML 799L · 69.1 KB

│ └─ 📄 presentation.html HTML 799L · 69.0 KB

├─ 📜 inject.ts TypeScript 193L · 5.2 KB

├─ 📋 package.json JSON 50L · 1.3 KB

├─ 📝 README.md Markdown 186L · 4.8 KB

├─ 📝 SKILL.md Markdown 337L · 8.1 KB

└─ 📋 tsconfig.json JSON 18L · 444 B

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`esbuild`	`^0.20.0`	npm	否	DevDependency - version loosely pinned
`puppeteer`	`^24.39.1`	npm	否	DevDependency - browser automation
`typescript`	`^5.4.0`	npm	否	DevDependency
`@types/node`	`^20.0.0`	npm	否	DevDependency - type definitions

安全亮点

✓ No credential harvesting or token theft

✓ No data exfiltration or C2 communication

✓ No base64-encoded or obfuscated code

✓ No sensitive file access (.ssh, .env, etc.)

✓ No reverse shell or RCE capabilities

✓ All functionality aligns with stated purpose (visual HTML presentation editor)

✓ Open source with clear MIT license

✓ No malicious dependencies detected