中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 22/100
Last scan:2 days ago Rescan
22 /100
tiered-recall
分层回忆系统 - 解决上下文长度限制,保持项目延续性
A legitimate memory management skill with one suspicious artifact: a hardcoded Windows System32 path in check_index.py that never executes, combined with absent allowed-tools declarations in SKILL.md.
Skill Nametiered-recall
Duration63.9s
Enginepi
Safe to install
Review check_index.py before production use; add explicit allowed-tools declarations to SKILL.md; remove hardcoded absolute paths.

Findings 4 items

Severity Finding Location
Medium
Hardcoded Windows System32 path targeting privileged user directory
scripts/check_index.py line 3 contains a hardcoded path 'C:/Windows/System32/UsersAdministrator.openclawworkspace/.tiered-recall/index.json'. This path points into Windows System32 (a protected directory) under a privileged user account. While the script is dead code (never called), the path selection suggests potential targeting of system or privileged files. No legitimate cross-platform skill should hardcode such a path.
index_file = Path('C:/Windows/System32/UsersAdministrator.openclawworkspace/.tiered-recall/index.json')
→ Remove check_index.py or replace the hardcoded path with a relative path computed from the script's own location. Never hardcode absolute paths to sensitive OS directories.
 scripts/check_index.py:3
Low
No allowed-tools section in SKILL.md
SKILL.md contains no 'allowed-tools' or permission declaration. The capability model defines Read→filesystem:READ and Write→filesystem:WRITE for skills, but this skill declares neither. The inferred capability (filesystem:READ+WRITE for scripts) remains undeclared, violating doc-to-code transparency expectations.
No allowed-tools section present in SKILL.md
→ Add an allowed-tools section to SKILL.md declaring the actual tools used, e.g. 'Read→filesystem:READ, Write→filesystem:WRITE'.
 SKILL.md:1
Low
Unrestricted workspace argument allows arbitrary directory access
Both build-index.py and load.py accept a --workspace argument that allows pointing to any filesystem location. While this enables legitimate multi-workspace use, it also means the skill can read/write outside its intended scope if the argument is manipulated or the user is misled.
parser.add_argument('--workspace', type=str, help='指定工作区路径')
→ Consider validating the workspace path to be within a known safe root (e.g., the agent's working directory) to prevent accidental cross-workspace access.
 scripts/build-index.py, scripts/load.py:174
Info
shutil.rmtree used for index cleanup (with user confirmation flag)
build-index.py uses shutil.rmtree(output_dir) when --clean is passed. The output_dir is a controlled subdirectory (.tiered-recall), so the blast radius is limited, but destructive file deletion is undeclared.
shutil.rmtree(output_dir)
→ Declare filesystem:WRITE for destructive operations in SKILL.md; consider adding a dry-run flag before destructive operations.
 scripts/build-index.py:171
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned SKILL.md: no allowed-tools section; build-index.py and load.py read memory/ and …
Filesystem NONE WRITE ✓ Aligned build-index.py: writes index.json and projects.json to output_dir; load.py: read…
Shell NONE NONE No subprocess, os.system, or shell invocation found.
Network NONE NONE No network requests of any kind in any script.
3 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-tiered--recall-blue
README.md:5
🔗
Medium External URL 外部 URL
https://clawhub.com/skill/tiered-recall
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/version-1.0.0-green
README.md:6

File Tree

6 files · 36.7 KB · 1251 lines
Python 3f · 617L Markdown 2f · 592L JSON 1f · 42L
├─ 📁 scripts
│ ├─ 🐍 build-index.py Python 265L · 9.6 KB
│ ├─ 🐍 check_index.py Python 20L · 715 B
│ └─ 🐍 load.py Python 332L · 11.0 KB
├─ 🔑 config.json JSON 42L · 1.5 KB
├─ 📝 README.md Markdown 129L · 3.1 KB
└─ 📝 SKILL.md Markdown 463L · 10.9 KB

Security Positives

✓ No network requests of any kind — fully offline operation
✓ No credential harvesting or environment variable enumeration
✓ No remote script execution (no curl|bash, wget|sh, or eval patterns)
✓ No base64-encoded payloads or obfuscated code
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ No subprocess or shell invocation — all operations are pure Python pathlib/json
✓ Script code is readable and straightforward, with no hidden functionality
✓ No external dependencies beyond the Python standard library