中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:18 hr ago Rescan
20 /100
WeChat Mini Program Builder
AI-assisted WeChat mini-program development tool
Legitimate WeChat mini-program builder tool with no malicious behavior; minor supply chain concern due to unpinned dependency.
Skill NameWeChat Mini Program Builder
Duration23.6s
Enginepi
Safe to install
Pin the openclaw dependency to a specific version to prevent potential supply chain attacks. Otherwise, the skill is safe to use.

Findings 1 items

Severity Finding Location
Low
Unpinned Dependency Supply Chain
The 'openclaw' package is imported without version constraints. This allows the dependency to auto-update, potentially introducing malicious code in future versions.
from openclaw import OpenClaw
→ Add a requirements.txt with pinned versions: openclaw==1.2.3
 mp_builder.py:10
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned SKILL.md does not mention file creation; mp_builder.py:55-60 creates directories
Network NONE READ ✓ Aligned mp_builder.py:98-103 makes API calls to OpenClaw service
1 findings
🔗
Medium External URL 外部 URL
https://discord.gg/clawd
SKILL.md:49

File Tree

2 files · 7.5 KB · 244 lines
Python 1f · 191L Markdown 1f · 53L
├─ 🐍 mp_builder.py Python 191L · 6.2 KB
└─ 📝 SKILL.md Markdown 53L · 1.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
openclaw unpinned import No No version constraint specified - potential supply chain risk

Security Positives

✓ No subprocess or shell execution detected
✓ No credential harvesting beyond required API key
✓ No data exfiltration or C2 communication
✓ No obfuscation or encoded payloads
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No hidden functionality - code matches documentation
✓ Clean, straightforward implementation