anki-card-creator 安全扫描报告 — 低风险 | ClawSafe

20 /100

anki-card-creator

Convert medical textbook content into Anki flashcards using spaced repetition optimization

Documentation overstates capabilities compared to actual implementation, but no malicious behavior detected in the simple Python flashcard generator.

技能名称anki-card-creator

分析耗时133.5s

引擎pi

✓

可以安装

Review SKILL.md for accuracy - remove references to non-existent modules and trim feature descriptions to match actual implementation.

安全发现 3 项

严重性	安全发现	位置
低危	SKILL.md references non-existent implementation files 文档欺骗 The 'Scripts' section and workflow examples reference scripts/card_creator.py, scripts/cloze_generator.py, scripts/image_occlusion.py, scripts/pdf_importer.py, scripts/tag_manager.py, scripts/media_handler.py, and scripts/anki_exporter.py, but only scripts/main.py exists with a basic AnkiCardCreator class. - `card_creator.py` - Core card generation engine - `cloze_generator.py` - Cloze deletion algorithms → Update SKILL.md to accurately reflect the actual implementation. Either implement missing modules or remove references to them.	`SKILL.md:290`
低危	Feature descriptions exceed actual capabilities 文档欺骗 SKILL.md describes .apkg export, image occlusion, PDF import, batch processing, and deck merging. The actual implementation only supports basic TSV export with drug and anatomy card types. `- Batch Processing: Convert entire chapters or courses efficiently` → Remove or clearly mark planned/unimplemented features in documentation.	`SKILL.md:35`
提示	Bash tool declared but never used 权限提升 allowed-tools includes 'Bash' implying shell:WRITE access, but the code uses only standard library (argparse, re) with no subprocess calls. `allowed-tools: [Read, Write, Bash, Edit]` → Remove Bash from allowed-tools if not used, to accurately reflect minimal permission requirements.	`SKILL.md:7`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	scripts/main.py:71 open(output_file, 'w')
网络访问	`NONE`	`NONE`	—	No network imports or requests
命令执行	`WRITE`	`NONE`	✗ 越权	Bash declared but never used in implementation
环境变量	`NONE`	`NONE`	—	No os.environ access
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

4 文件 · 21.7 KB · 673 行

Markdown 1f · 545L Python 1f · 123L Text 2f · 5L

├─ ▾ 📁 scripts

│ └─ 🐍 main.py Python 123L · 4.4 KB

├─ 📄 anki_cards.txt Text 1L · 165 B

├─ 📄 requirements.txt Text 4L · 84 B

└─ 📝 SKILL.md Markdown 545L · 17.1 KB

包名	版本	来源	已知漏洞	备注
`argparse`	`stdlib`	Python standard library	否	Standard library module
`re`	`stdlib`	Python standard library	否	Standard library module

✓ Uses only Python standard library (argparse, re) - no external dependencies with potential vulnerabilities

✓ No network requests or external API calls

✓ No credential harvesting or sensitive path access

✓ No obfuscation, base64 execution, or anti-analysis techniques

✓ Simple, readable code that performs its stated basic function

✓ Input validation through argparse - no arbitrary file write vulnerabilities