WeChat Mini Program Builder 安全扫描报告 — 低风险 | ClawSafe

20 /100

WeChat Mini Program Builder

AI-assisted WeChat mini-program development tool

Legitimate WeChat mini-program builder tool with no malicious behavior; minor supply chain concern due to unpinned dependency.

技能名称WeChat Mini Program Builder

分析耗时23.6s

引擎pi

✓

可以安装

Pin the openclaw dependency to a specific version to prevent potential supply chain attacks. Otherwise, the skill is safe to use.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned Dependency 供应链 The 'openclaw' package is imported without version constraints. This allows the dependency to auto-update, potentially introducing malicious code in future versions. `from openclaw import OpenClaw` → Add a requirements.txt with pinned versions: openclaw==1.2.3	`mp_builder.py:10`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	SKILL.md does not mention file creation; mp_builder.py:55-60 creates directories
网络访问	`NONE`	`READ`	✓ 一致	mp_builder.py:98-103 makes API calls to OpenClaw service

1 项发现

🔗

中危外部 URL 外部 URL

https://discord.gg/clawd

SKILL.md:49

2 文件 · 7.5 KB · 244 行

Python 1f · 191L Markdown 1f · 53L

├─ 🐍 mp_builder.py Python 191L · 6.2 KB

└─ 📝 SKILL.md Markdown 53L · 1.3 KB

包名	版本	来源	已知漏洞	备注
`openclaw`	`unpinned`	import	否	No version constraint specified - potential supply chain risk

✓ No subprocess or shell execution detected

✓ No credential harvesting beyond required API key

✓ No data exfiltration or C2 communication

✓ No obfuscation or encoded payloads

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No hidden functionality - code matches documentation

✓ Clean, straightforward implementation