bp-reporting-templates Security Report — Low Risk | ClawSafe

15 /100

bp-reporting-templates

Generate BP monthly/quarterly/half-year/year report filling templates from BP data (API first, file fallback) with strict reviewer checks

Legitimate BP report template generation skill with no malicious behavior; minor supply chain concern due to unpinned dependency versions.

Skill Namebp-reporting-templates

Duration53.0s

Enginepi

✓

Safe to install

Pin dependency versions in requirements.txt to prevent supply chain risks from unpinned packages.

Findings 2 items

Severity	Finding	Location
Low	Unpinned dependency versions Supply Chain requirements.txt uses >= without upper bounds for requests, aiohttp, and PyYAML, allowing potentially incompatible versions to be installed. `requests>=2.28.0 aiohttp>=3.8.0 PyYAML>=6.0` → Pin to specific versions, e.g., requests==2.28.0, aiohttp==3.8.6, PyYAML==6.0.1	`requirements.txt:1`
Info	Environment variable access for API key Sensitive Access The skill reads BP_APP_KEY and COMPANY_APP_KEY from environment variables, which is declared in SKILL.md metadata. The key is used only for legitimate BP API calls and is not exfiltrated. `return (cli_app_key or os.getenv('BP_APP_KEY') or os.getenv('COMPANY_APP_KEY') or '').strip()` → No action needed - this is declared behavior	`scripts/main.py:112`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares api_client with 'permission: read'; code makes HTTP GET/POST t…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares template_manager with 'permission: write'; writes to ./output …
Environment	`READ`	`READ`	✓ Aligned	SKILL.md metadata declares BP_APP_KEY env requirement; code reads it via os.gete…
Shell	`NONE`	`NONE`	—	No subprocess, shell=True, or system() calls found

1 findings

🔗

Medium External URL 外部 URL

https://sg-al-cwork-web.mediportal.com.cn/open-api

scripts/api_client.py:350

File Tree

47 files · 264.6 KB · 7198 lines

Markdown 35f · 5130L Python 9f · 1871L JSON 1f · 124L YAML 1f · 70L Text 1f · 3L

├─ ▾ 📁 design

│ ├─ 📝 DESIGN.md Markdown 24L · 1.0 KB

│ ├─ 📝 DISCUSSION-LOG.md Markdown 12L · 550 B

│ └─ 📝 LEARNING-LOOP.md Markdown 7L · 303 B

├─ ▾ 📁 references

│ ├─ 📋 alert_rules.yaml YAML 70L · 1.6 KB

│ ├─ 📝 BP编码速查表.md Markdown 77L · 3.0 KB

│ ├─ 📝 基础模板_半年报.md Markdown 116L · 2.4 KB

│ ├─ 📝 基础模板_季报.md Markdown 116L · 2.3 KB

│ ├─ 📝 基础模板_年报.md Markdown 116L · 2.4 KB

│ ├─ 📝 基础模板_月报.md Markdown 135L · 2.7 KB

│ └─ 📝 通用填写规范.md Markdown 109L · 3.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 api_client.py Python 357L · 12.0 KB

│ ├─ 🐍 filler.py Python 269L · 8.7 KB

│ ├─ 🐍 input_handler.py Python 128L · 3.2 KB

│ ├─ 🐍 main.py Python 290L · 11.0 KB

│ ├─ 🐍 parser.py Python 151L · 4.0 KB

│ ├─ 🐍 reviewer.py Python 338L · 9.6 KB

│ ├─ 🐍 template_manager.py Python 81L · 2.5 KB

│ └─ 🐍 utils.py Python 105L · 2.4 KB

├─ ▾ 📁 tests

│ ├─ ▾ 📁 output-archives

│ │ ├─ ▾ 📁 output-fallback-test

│ │ │ ├─ 📝 产品中心_林刚_季报填写规范_DRAFT_审查未通过.md Markdown 113L · 2.3 KB

│ │ │ ├─ 📋 产品中心_林刚_季报填写规范_REVIEW.json JSON 124L · 3.4 KB

│ │ │ └─ 📝 产品中心_林刚_季报填写规范.md Markdown 113L · 2.7 KB

│ │ ├─ ▾ 📁 output-regression-4set

│ │ │ ├─ 📝 集团_组织_半年报填写规范.md Markdown 352L · 24.2 KB

│ │ │ ├─ 📝 集团_组织_季报填写规范.md Markdown 353L · 26.3 KB

│ │ │ ├─ 📝 集团_组织_年报填写规范.md Markdown 351L · 24.2 KB

│ │ │ └─ 📝 集团_组织_月报填写规范.md Markdown 363L · 25.9 KB

│ │ └─ ▾ 📁 output-uat-batch-2026bp

│ │ ├─ 📝 产品部_组织_季报填写规范.md Markdown 213L · 7.9 KB

│ │ ├─ 📝 产品部_组织_月报填写规范.md Markdown 223L · 7.4 KB

│ │ ├─ 📝 人力资源部_组织_季报填写规范.md Markdown 128L · 4.0 KB

│ │ ├─ 📝 人力资源部_组织_月报填写规范.md Markdown 138L · 3.7 KB

│ │ ├─ 📝 技术部_组织_季报填写规范.md Markdown 199L · 6.9 KB

│ │ ├─ 📝 技术部_组织_月报填写规范.md Markdown 209L · 6.5 KB

│ │ ├─ 📝 法务部_组织_季报填写规范.md Markdown 116L · 2.8 KB

│ │ ├─ 📝 法务部_组织_月报填写规范.md Markdown 135L · 3.0 KB

│ │ ├─ 📝 行政管理部_组织_季报填写规范.md Markdown 116L · 2.8 KB

│ │ ├─ 📝 行政管理部_组织_月报填写规范.md Markdown 135L · 3.0 KB

│ │ ├─ 📝 行政部_组织_季报填写规范.md Markdown 116L · 2.8 KB

│ │ ├─ 📝 行政部_组织_月报填写规范.md Markdown 135L · 3.0 KB

│ │ ├─ 📝 财务部_组织_季报填写规范.md Markdown 116L · 2.8 KB

│ │ ├─ 📝 财务部_组织_月报填写规范.md Markdown 135L · 3.0 KB

│ │ ├─ 📝 运营部_组织_季报填写规范.md Markdown 116L · 2.8 KB

│ │ ├─ 📝 运营部_组织_月报填写规范.md Markdown 135L · 3.0 KB

│ │ ├─ 📝 销售部_组织_季报填写规范.md Markdown 143L · 4.7 KB

│ │ └─ 📝 销售部_组织_月报填写规范.md Markdown 153L · 4.5 KB

│ └─ 🐍 test_all.py Python 152L · 4.7 KB

├─ 📄 requirements.txt Text 3L · 44 B

├─ 📝 setup.md Markdown 24L · 500 B

└─ 📝 SKILL.md Markdown 88L · 2.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`requests`	`>=2.28.0`	pip	No	Version not pinned - no upper bound
`aiohttp`	`>=3.8.0`	pip	No	Version not pinned - no upper bound
`PyYAML`	`>=6.0`	pip	No	Version not pinned - no upper bound

Security Positives

✓ No code execution vulnerabilities (no eval, exec, or compile())

✓ No subprocess or shell=True usage

✓ No base64-encoded execution or obfuscation

✓ No credential theft - API keys used only for intended BP API calls

✓ No data exfiltration - all network traffic is to the declared BP API endpoint

✓ No sensitive file access (~/.ssh, ~/.aws, .env)

✓ No hidden functionality - all capabilities match declared permissions

✓ No remote script execution (curl|bash, wget|sh)

✓ File writes restricted to ./output directory only

✓ Clean regex-based parsing without unsafe constructs

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives