meeting-minutes-assistant 安全扫描报告 — 可信 | ClawSafe

5 /100

meeting-minutes-assistant

会议录音转结构化纪要 (ASR → LLM总结 → 可选TTS)

The skill is a straightforward meeting minutes assistant with no hidden or malicious behavior—code performs exactly what documentation describes.

技能名称meeting-minutes-assistant

分析耗时34.2s

引擎pi

✓

可以安装

No action needed. The skill can be safely deployed.

安全发现 1 项

严重性	安全发现	位置
低危	Dependencies not pinned to exact versions 供应链 requirements.txt specifies openai>=1.30.0, requests>=2.31.0, python-dotenv>=1.0.0. While these are known legitimate packages, loose versioning allows a future compatible-but-malicious version to be installed on pip install. `openai>=1.30.0 requests>=2.31.0 python-dotenv>=1.0.0` → Pin to exact versions (e.g., openai==1.30.0) to ensure reproducible builds.	`requirements.txt:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	audio_file.open('rb') at scripts/run_meeting_minutes.py:75
文件系统	`WRITE`	`WRITE`	✓ 一致	OUTPUT_DIR.mkdir() and output_path.write_text() at lines 196, 218
网络访问	`READ`	`READ`	✓ 一致	requests.post() to ASR/TTS URLs at lines 63, 69
命令执行	`NONE`	`NONE`	—	No subprocess or os.system calls found
环境变量	`NONE`	`READ`	✓ 一致	Reads .env via python-dotenv; not declared in SKILL.md but benign

4 项发现

🔗

中危外部 URL 外部 URL

https://models.audiozen.cn/v1

SKILL.md:112

🔗

中危外部 URL 外部 URL

https://api.senseaudio.cn

SKILL.md:113

🔗

中危外部 URL 外部 URL

https://api.senseaudio.cn/v1/audio/transcriptions

scripts/run_meeting_minutes.py:63

🔗

中危外部 URL 外部 URL

https://api.senseaudio.cn/v1/t2a_v2

scripts/run_meeting_minutes.py:69

目录结构

6 文件 · 15.0 KB · 506 行

Python 1f · 313L Markdown 3f · 188L Text 1f · 3L YAML 1f · 2L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 2L · 51 B

├─ ▾ 📁 references

│ ├─ 📝 output_schema.md Markdown 29L · 845 B

│ └─ 📝 prompts.md Markdown 40L · 792 B

├─ ▾ 📁 scripts

│ └─ 🐍 run_meeting_minutes.py Python 313L · 10.2 KB

├─ 📄 requirements.txt Text 3L · 53 B

└─ 📝 SKILL.md Markdown 119L · 3.0 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`openai`	`>=1.30.0`	pip	否	Version not pinned; known legitimate package
`requests`	`>=2.31.0`	pip	否	Version not pinned; known legitimate package
`python-dotenv`	`>=1.0.0`	pip	否	Version not pinned; known legitimate package

安全亮点

✓ No subprocess, os.system, or shell execution found

✓ No credential harvesting or environment variable enumeration for theft

✓ No base64, eval, or code obfuscation

✓ All network calls target only declared API endpoints (SenseAudio, LLM backend)

✓ Code-to-doc alignment is high: every function maps to documented behavior

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env secrets exfiltration)

✓ No data exfiltration or C2 communication patterns

✓ File writes scoped to skill-local outputs/ directory only