中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 22/100
上次扫描:1 天前 重新扫描
22 /100
lookupmark-local-rag
Semantic search over local files using all-MiniLM-L6-v2 embeddings and ms-marco-MiniLM-L-6-v2 cross-encoder reranking with ChromaDB and parent-child chunking
A legitimate local document indexing and search tool with well-defined security boundaries, though it uses undocumented shell commands for dependency installation and monitoring.
技能名称lookupmark-local-rag
分析耗时59.6s
引擎pi
可以安装
Approve for use with standard sandboxing. Declare subprocess usage in SKILL.md and fix the documentation mismatch on supported file types.

安全发现 3 项

严重性 安全发现 位置
低危
Subprocess usage not declared in SKILL.md 文档欺骗
index.py runs 'uv pip install' via subprocess when python-docx is missing (line ~94-98). monitor.py runs 'ps aux', 'git log', 'du' via subprocess (lines ~48, ~78, ~88). Neither is declared in the Security section or anywhere in SKILL.md.
subprocess.check_call(['uv', 'pip', 'install', '-p', sys.executable, 'python-docx'])
→ Add 'subprocess' to the declared capabilities in SKILL.md with a note that it is used for on-demand dependency installation and system monitoring tools.
 scripts/index.py:96
低危
Supported file type mismatch between docs and code 文档欺骗
SKILL.md states the skill only processes documents and explicitly excludes code files (.py, .js, .sh, .ipynb, .html, .css), yet index.py includes .html, .css, and .xml in TEXT_EXTENSIONS. While these are not malicious, the mismatch is a documentation inaccuracy.
TEXT_EXTENSIONS = { ".txt", ".md", ".rst", ".csv", ".tsv", ".yaml", ".yml", ".json", ".toml", ".cfg", ".ini", ".xml", ".html", ".css", ".tex", ".bib", ".log" }
→ Align TEXT_EXTENSIONS with SKILL.md documentation, or update SKILL.md to correctly list all supported extensions including .html, .css, .xml.
 scripts/index.py:51
低危
Unpinned dependency (index-batch.sh: uv pip install) 供应链
index.py runs 'uv pip install python-docx' without a version pin. If python-docx publishes a malicious update, it could be pulled. However this only triggers on ImportError, making opportunistic injection difficult.
subprocess.check_call(['uv', 'pip', 'install', '-p', sys.executable, 'python-docx'])
→ Pin to a known-safe version: 'python-docx==0.8.11' or similar, or document why unpinned is acceptable in this context.
 scripts/index.py:96
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 SKILL.md: 'Optimized for low-RAM ARM devices' — file writes are to ~/.local/shar…
网络访问 READ READ ✓ 一致 Downloads sentence-transformer models from HuggingFace; all model downloads are …
命令执行 NONE WRITE ✗ 越权 scripts/index.py:96 subprocess.check_call(['uv', 'pip', 'install', ...]); script…

目录结构

6 文件 · 31.5 KB · 962 行
Python 3f · 671L Shell 1f · 157L Markdown 1f · 129L JSON 1f · 5L
├─ 📁 scripts
│ ├─ 🔧 index-batch.sh Shell 157L · 4.2 KB
│ ├─ 🐍 index.py Python 302L · 10.3 KB
│ ├─ 🐍 monitor.py Python 194L · 6.1 KB
│ └─ 🐍 query.py Python 175L · 5.8 KB
├─ 📋 _meta.json JSON 5L · 139 B
└─ 📝 SKILL.md Markdown 129L · 5.0 KB

依赖分析 3 项

包名版本来源已知漏洞备注
chromadb * pip Version not pinned — indirect dependency via requirements
sentence-transformers * pip Version not pinned — core dependency
python-docx * pip Version not pinned; installed on-demand by index.py

安全亮点

✓ Security boundaries are well-implemented: ALLOWED_ROOTS restrict indexing to ~/Documenti and ~/Scaricati only
✓ BLOCKED_PATTERNS explicitly exclude .ssh, .gnupg, .env, credentials, tokens, and .config/openclaw
✓ File hash checking (SHA-256) prevents re-indexing unchanged files — no data duplication risk
✓ No hardcoded credentials, API keys, or secrets anywhere in the codebase
✓ No base64, eval, or obfuscation patterns present
✓ No external network calls except to HuggingFace for model downloads (legitimate and declared)
✓ No C2, reverse shell, or data exfiltration behavior observed
✓ Git-based rollback in index-batch.sh provides integrity protection against corruption
✓ OOM protection via SIGKILL detection and rollback is a responsible design choice for low-RAM devices
✓ Trustworthy purpose: local semantic document search with no outbound data transmission