gauntletscore 安全扫描报告 — 低风险 | ClawSafe

10 /100

gauntletscore

Trust verification for AI output — verify any document or code before you act on it

GauntletScore is a legitimate API-based document/code verification service. The pre-scan IOCs are false positives—'curl|bash' and 'gsk_your_key_here' are documentation references, not actual execution or hardcoded credentials.

技能名称gauntletscore

分析耗时34.8s

引擎pi

✓

可以安装

This skill is safe to use. The declared network access to api.gauntletscore.com is necessary for the service functionality. Consider the Sovereign Edition for air-gapped environments.

安全发现 3 项

严重性	安全发现	位置
提示	Intentional external data transfer 数据外泄 Documents and code are sent to api.gauntletscore.com for analysis. This is the core service function, declared in documentation, with Sovereign Edition as an air-gapped alternative. `POST https://api.gauntletscore.com/v1/analyze` → Inform users about data being sent externally. Sovereign Edition recommended for sensitive environments.	`SKILL.md:53`
提示	IOC false positive: curl\|bash reference 文档欺骗 The pre-scan flagged 'curl\|bash' at line 95, but this appears in the 'What It Catches' section describing what the service can detect—not actual execution. `Download-and-execute attacks (curl \| bash)` → No action needed; this is documentation, not code.	`SKILL.md:95`
提示	IOC false positive: gsk_your_key_here placeholder 文档欺骗 The pre-scan flagged 'gsk_your_key_here' at line 27, but this is a configuration example placeholder, not a real credential. `GAUNTLET_API_KEY = "gsk_your_key_here"` → No action needed; this is a placeholder showing expected format.	`SKILL.md:27`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:53-78 — API endpoint documentation
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:19 — requiredEnv: GAUNTLET_API_KEY
文件系统	`NONE`	`NONE`	—	N/A — No file access required or used
命令执行	`NONE`	`NONE`	—	N/A — No shell commands executed
数据库	`NONE`	`NONE`	—	N/A — No database access
剪贴板	`NONE`	`NONE`	—	N/A — No clipboard access
浏览器	`NONE`	`NONE`	—	N/A — No browser automation
技能调用	`NONE`	`NONE`	—	N/A — No skill chaining

1 严重 1 高危 15 项发现

💀

严重危险命令危险 Shell 命令

curl | bash

SKILL.md:95

🔑

高危 API 密钥疑似硬编码凭证

API_KEY = "gsk_your_key_here"

SKILL.md:27

🔗

中危外部 URL 外部 URL

https://gauntletscore.com

SKILL.md:7

🔗

中危外部 URL 外部 URL

https://api.gauntletscore.com

SKILL.md:8

🔗

中危外部 URL 外部 URL

https://api.gauntletscore.com/v1/analyze

SKILL.md:53

🔗

中危外部 URL 外部 URL

https://clawhub.ai/skills/gauntlet-validate/SKILL.md

SKILL.md:70

🔗

中危外部 URL 外部 URL

https://api.gauntletscore.com/v1/jobs/

SKILL.md:77

🔗

中危外部 URL 外部 URL

https://gauntletscore.com/pricing

SKILL.md:125

🔗

中危外部 URL 外部 URL

https://api.gauntletscore.com/v1/verify/

SKILL.md:132

🔗

中危外部 URL 外部 URL

https://gauntletscore.com/docs

SKILL.md:139

🔗

中危外部 URL 外部 URL

https://gauntletscore.com/terms

SKILL.md:140

🔗

中危外部 URL 外部 URL

https://gauntletscore.com/privacy

SKILL.md:141

🔗

中危外部 URL 外部 URL

https://gauntletscore.com/acceptable-use

SKILL.md:142

🔗

中危外部 URL 外部 URL

https://genstrata.com

SKILL.md:146

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:126

目录结构

1 文件 · 5.3 KB · 148 行

Markdown 1f · 148L

└─ 📝 SKILL.md Markdown 148L · 5.3 KB

安全亮点

✓ No executable scripts or code files present

✓ No credential harvesting beyond the declared API key

✓ Analysis is explicitly read-only (code never executed)

✓ Cryptographic certificate verification is a positive security feature

✓ Sovereign Edition available for air-gapped environments

✓ Adversarial multi-agent architecture reduces single-point failures

✓ No obfuscation, base64 encoding, or hidden functionality

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ All behavior is clearly documented in SKILL.md