中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 45/100
Last scan:1 day ago Rescan
45 /100
doctor-check
系统诊断 - 检查OpenClaw和运行环境健康状态
SKILL.md declares API key validation and permission checks without specifying implementation details or access levels, creating a doc-to-code mismatch risk.
Skill Namedoctor-check
Duration28.4s
Enginepi
Use with caution
Request implementation code before deployment. The declared API key validity check and permission settings require full disclosure of how keys are validated and what file/system resources are accessed.

Findings 3 items

Severity Finding Location
Medium
API key validation method unspecified Doc Mismatch
SKILL.md declares 'API密钥有效性检查' but does not specify whether keys are validated locally or by calling external services. This creates ambiguity about network access and data handling.
- API密钥有效性
→ Clarify whether API keys are validated locally (structure check) or externally (network request to validation endpoint)
 SKILL.md:15
Low
Permission check scope not declared Doc Mismatch
'权限设置' (permission settings) is declared as a check item but the scope of what permissions are checked and how is not specified.
- 权限设置
→ Specify which permission categories are checked and what constitutes a permission issue
 SKILL.md:16
Low
Implicit filesystem WRITE not declared Doc Mismatch
'锁文件清理' (lock file cleanup) implies the ability to delete files, constituting filesystem WRITE access, but this is not explicitly declared in the capability model.
- 锁文件清理
→ Explicitly declare filesystem WRITE permission if lock file cleanup involves deletion
 SKILL.md:12
ResourceDeclaredInferredStatusEvidence
Filesystem NONE UNKNOWN ✓ Aligned SKILL.md: '锁文件清理' implies deletion capability
Environment READ UNKNOWN ✓ Aligned SKILL.md: '环境检查' declared but no detail on scope
Network NONE UNKNOWN ✓ Aligned SKILL.md: 'API密钥有效性' may require network access for validation

File Tree

1 files · 828 B · 53 lines
Markdown 1f · 53L
└─ 📝 SKILL.md Markdown 53L · 828 B

Security Positives

✓ No actual code files present - cannot execute malicious behavior without implementation
✓ No network requests declared (only implied via API key check)
✓ No credential harvesting explicitly declared
✓ No base64, obfuscation, or suspicious patterns in documentation