Timezone 安全扫描报告 — 低风险 | ClawSafe

20 /100

Timezone

Convert times across world timezones and compare availability

A legitimate local logging utility with no malicious behavior, though SKILL.md is misleading about its timezone conversion capability.

技能名称Timezone

分析耗时34.1s

引擎pi

✓

可以安装

The skill is safe to use but SKILL.md should be updated to accurately reflect its logging functionality instead of claiming timezone conversion.

安全发现 2 项

严重性	安全发现	位置
中危	SKILL.md claims timezone conversion capability not implemented in code 文档欺骗 SKILL.md describes this as a 'Timezone' tool for 'converting times across world timezones and comparing availability.' However, scripts/script.sh performs zero timezone-related operations. It merely logs arbitrary user input to local .log files. The name 'Timezone' and the described functionality appear to be a misleading wrapper around a simple logging utility. `description: Convert times across world timezones...` → Rename the skill and update SKILL.md to accurately describe the tool as a local command/input logger, or implement actual timezone conversion functionality.	`SKILL.md:1`
低危	User input written to log files without sanitization 敏感访问 The script accepts arbitrary user input via positional arguments and writes it directly to ~/.local/share/timezone/*.log files. If a user passes sensitive data (e.g., passwords, API keys), it will be persisted to disk in plaintext. `echo "$ts\|$input" >> "$DATA_DIR/run.log"` → Add input sanitization or warn users not to pass sensitive data as arguments.	`scripts/script.sh:78`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md 'Data Storage' section declares ~/.local/share/timezone/; script create…
命令执行	`NONE`	`NONE`	—	No subprocess, eval, or command execution beyond set -euo pipefail.
网络访问	`NONE`	`NONE`	—	No curl, wget, or network calls; fully offline per SKILL.md.
环境变量	`NONE`	`NONE`	—	Only accesses HOME for DATA_DIR path; no iteration over env vars.
技能调用	`NONE`	`NONE`	—	No skill invocation.
剪贴板	`NONE`	`NONE`	—	No clipboard access.
浏览器	`NONE`	`NONE`	—	No browser access.
数据库	`NONE`	`NONE`	—	No database access.

3 项发现

🔗

中危外部 URL 外部 URL

https://bytesagain.com

SKILL.md:6

🔗

中危外部 URL 外部 URL

https://bytesagain.com/feedback/

SKILL.md:98

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:101

2 文件 · 14.3 KB · 414 行

Shell 1f · 313L Markdown 1f · 101L

├─ ▾ 📁 scripts

│ └─ 🔧 script.sh Shell 313L · 10.9 KB

└─ 📝 SKILL.md Markdown 101L · 3.5 KB

✓ No network requests — fully offline operation as declared

✓ No credential harvesting — script does not access ~/.ssh, ~/.aws, .env, or environment variables

✓ No obfuscation — script is readable plain bash with no base64, eval, or anti-analysis tricks

✓ No subprocess calls — script only writes to local files

✓ No supply chain risk — no external dependencies (no package.json, requirements.txt, etc.)

✓ No persistence mechanism — no cron jobs, systemd units, or startup scripts installed