gamma 安全扫描报告 — 可信 | ClawSafe

0 /100

gamma

Create presentations, documents, social posts, and web pages via the Gamma.app API

This is a legitimate Gamma.app API wrapper with no malicious behavior, no sensitive resource access, and accurate documentation matching its declared functionality.

技能名称gamma

分析耗时31.6s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as documented.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem read/write operations in gamma.sh
网络访问	`READ`	`READ`	✓ 一致	gamma.sh:52 — only connects to https://public-api.gamma.app/v1.0
命令执行	`WRITE`	`WRITE`	✓ 一致	gamma.sh:18 — uses curl and python3 for API calls; bash is the runtime, not arbi…
环境变量	`READ`	`READ`	✓ 一致	gamma.sh:45 — reads GAMMA_API_KEY only; no iteration over os.environ
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

5 项发现

🔗

中危外部 URL 外部 URL

https://gamma.app

SKILL.md:6

🔗

中危外部 URL 外部 URL

https://developers.gamma.app/docs/getting-started

SKILL.md:21

🔗

中危外部 URL 外部 URL

https://gamma.app/settings

SKILL.md:28

🔗

中危外部 URL 外部 URL

https://public-api.gamma.app/v1.0

SKILL.md:31

🔗

中危外部 URL 外部 URL

https://gamma.app/docs/xxx

references/api-reference.md:62

目录结构

3 文件 · 16.7 KB · 490 行

Shell 1f · 275L Markdown 2f · 215L

├─ ▾ 📁 references

│ └─ 📝 api-reference.md Markdown 87L · 3.8 KB

├─ ▾ 📁 scripts

│ └─ 🔧 gamma.sh Shell 275L · 8.2 KB

└─ 📝 SKILL.md Markdown 128L · 4.7 KB

安全亮点

✓ Documentation accurately describes all functionality — no doc-to-code mismatch

✓ Network access is restricted to a single, declared API endpoint: https://public-api.gamma.app/v1.0

✓ API key is only transmitted to the declared Gamma API, not exfiltrated elsewhere

✓ Uses safe tooling: curl for HTTP, python3 for JSON parsing — no subprocess with user-controlled input

✓ No credential harvesting — only reads GAMMA_API_KEY for its own use

✓ No base64-encoded payloads, no eval(), no obfuscation

✓ No remote script execution (curl|bash, wget|sh)

✓ No supply chain risk — no third-party dependencies or package installations

✓ No sensitive file or path access (~/.ssh, ~/.aws, .env files)

✓ Uses defensive bash practices (set -euo pipefail)

✓ Error handling via die() function with clear messages