ai-intelligent-helpdesk 安全扫描报告 — 可疑 | ClawSafe

40 /100

ai-intelligent-helpdesk

Enterprise IT Helpdesk — ticket management + smart dispatching

Skill provides only documentation with no actual implementation code; installation instructions reference a non-existent remote repository and nonexistent local files (requirements.txt, app.py), constituting doc-to-code mismatch and potential social engineering.

技能名称ai-intelligent-helpdesk

分析耗时31.7s

引擎pi

⚠

谨慎使用

Do not use this skill. The package contains no executable code despite claiming to be a FastAPI application. The git clone instruction points to an unverified external repository and may be a social engineering vector. Request the vendor provide the actual source code for security review.

攻击链 3 步

⬡

提权 Skill is distributed as documentation-only package with no code

SKILL.md:1

⬡

提权 Installation instructions redirect user to clone unverified external repository

SKILL.md:31

◉

影响 User blindly executes pip install and python app.py from an untrusted third-party repository, gaining full shell access to the environment

SKILL.md:30

安全发现 3 项

严重性	安全发现	位置
中危	No implementation code present 文档欺骗 The package declares a FastAPI-based enterprise helpdesk system but contains only documentation files (SKILL.md, skill.json). No Python source files, no requirements.txt, no app.py — the entire implementation is absent. This makes independent security verification impossible. `pip install -r requirements.txt python app.py` → Request actual source code before any security assessment. Refuse to install from the remote repository without code review.	`SKILL.md:30`
中危	Installation points to unverified external repository 文档欺骗 The install instructions direct users to `git clone https://github.com/openclaw-skills/ai-intelligent-helpdesk` — a third-party repository that has not been security reviewed. The user is expected to download and execute code from this external source blindly. `git clone https://github.com/openclaw-skills/ai-intelligent-helpdesk` → Do not clone or execute code from this repository. Insist on a complete, self-contained package with all source code included in the skill bundle.	`SKILL.md:31`
低危	Package metadata mismatch 文档欺骗 skill.json has 'author': 'yang1002378395-cmyk' (likely an auto-generated identifier) and 'description': 'AI intelligent ai-intelligent-helpdesk' which is a near-duplicate tautology, suggesting non-professional packaging. Combined with the missing code, this weakens trust in the skill's provenance. `"author": "yang1002378395-cmyk", "description": "AI intelligent ai-intelligent-helpdesk"` → Verify the identity and reputation of the skill author before use.	`skill.json:3`

目录结构

2 文件 · 1.2 KB · 58 行

Markdown 1f · 51L JSON 1f · 7L

├─ 📋 skill.json JSON 7L · 203 B

└─ 📝 SKILL.md Markdown 51L · 985 B

安全亮点

✓ No malicious code found — no code exists in this package at all

✓ No sensitive file access observed (no filesystem code present)

✓ No network exfiltration code present (no scripts to analyze)

✓ No credential harvesting logic (no executable code)

✓ No obfuscated payloads (base64, eval, or shell commands)

✓ No supply chain risk via dependencies (no dependency files)