中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:2 天前 重新扫描
45 /100
doctor-check
系统诊断 - 检查OpenClaw和运行环境健康状态
SKILL.md declares API key validation and permission checks without specifying implementation details or access levels, creating a doc-to-code mismatch risk.
技能名称doctor-check
分析耗时28.4s
引擎pi
谨慎使用
Request implementation code before deployment. The declared API key validity check and permission settings require full disclosure of how keys are validated and what file/system resources are accessed.

安全发现 3 项

严重性 安全发现 位置
中危
API key validation method unspecified 文档欺骗
SKILL.md declares 'API密钥有效性检查' but does not specify whether keys are validated locally or by calling external services. This creates ambiguity about network access and data handling.
- API密钥有效性
→ Clarify whether API keys are validated locally (structure check) or externally (network request to validation endpoint)
 SKILL.md:15
低危
Permission check scope not declared 文档欺骗
'权限设置' (permission settings) is declared as a check item but the scope of what permissions are checked and how is not specified.
- 权限设置
→ Specify which permission categories are checked and what constitutes a permission issue
 SKILL.md:16
低危
Implicit filesystem WRITE not declared 文档欺骗
'锁文件清理' (lock file cleanup) implies the ability to delete files, constituting filesystem WRITE access, but this is not explicitly declared in the capability model.
- 锁文件清理
→ Explicitly declare filesystem WRITE permission if lock file cleanup involves deletion
 SKILL.md:12
资源类型声明权限推断权限状态证据
文件系统 NONE UNKNOWN ✓ 一致 SKILL.md: '锁文件清理' implies deletion capability
环境变量 READ UNKNOWN ✓ 一致 SKILL.md: '环境检查' declared but no detail on scope
网络访问 NONE UNKNOWN ✓ 一致 SKILL.md: 'API密钥有效性' may require network access for validation

目录结构

1 文件 · 828 B · 53 行
Markdown 1f · 53L
└─ 📝 SKILL.md Markdown 53L · 828 B

安全亮点

✓ No actual code files present - cannot execute malicious behavior without implementation
✓ No network requests declared (only implied via API key check)
✓ No credential harvesting explicitly declared
✓ No base64, obfuscation, or suspicious patterns in documentation