calculator-chat Security Report — Trusted | ClawSafe

5 /100

calculator-chat

用计算器数字回应用户。当用户发送 /calc-chat 或表达情感时，在系统计算器上显示对应数字

A legitimate calculator automation skill that translates text phrases into calculator number displays using platform-specific system commands.

Skill Namecalculator-chat

Duration40.6s

Enginepi

✓

Safe to install

This skill is safe to use. Consider adding explicit documentation about subprocess usage for transparency.

Findings 1 items

Severity	Finding	Location
Low	Eval security reference misaligned Doc Mismatch SKILL.md mentions '使用受限的 eval 命名空间' but this only applies to the calculator.py GUI component, not the main entry point flow `计算安全：使用受限的 eval 命名空间` → Clarify that restricted eval only applies to the GUI calculator component	`SKILL.md:28`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	src/index.js:11 - execSync/spawn for calculator launch
Filesystem	`NONE`	`READ`	✓ Aligned	src/platform/windows.js:20 - reads require.main.filename only
Network	`NONE`	`NONE`	—	No network code found
Environment	`NONE`	`READ`	✓ Aligned	DISPLAY env var set for VM support, documented
Skill Invoke	`NONE`	`NONE`	—	No recursive skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

File Tree

13 files · 34.2 KB · 1388 lines

Markdown 3f · 569L Python 3f · 399L JavaScript 4f · 361L JSON 3f · 59L

├─ ▾ 📁 docs

│ └─ ▾ 📁 plans

│ ├─ 📝 2026-03-08-calculator-chat-skill-design.md Markdown 104L · 2.6 KB

│ └─ 📝 2026-03-08-calculator-chat-skill-implementation-plan.md Markdown 405L · 8.5 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 platform

│ │ ├─ 📜 linux.js JavaScript 49L · 1.4 KB

│ │ ├─ 📜 macos.js JavaScript 39L · 979 B

│ │ └─ 📜 windows.js JavaScript 91L · 2.3 KB

│ ├─ 🐍 calculator.py Python 244L · 7.0 KB

│ ├─ 📜 index.js JavaScript 182L · 4.9 KB

│ ├─ 🐍 open_calc.py Python 99L · 2.6 KB

│ └─ 🐍 show_calc.py Python 56L · 1.5 KB

├─ 📋 mapping.json JSON 10L · 176 B

├─ 📋 package-lock.json JSON 16L · 277 B

├─ 📋 package.json JSON 33L · 657 B

└─ 📝 SKILL.md Markdown 60L · 1.4 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`node`	`>=14.0.0`	system	No	Runtime requirement, already standard
`python3`	`*`	system	No	Optional fallback, only for gnome-calculator invocation
`gnome-calculator`	`*`	system	No	Required binary on Linux only

Security Positives

✓ Input validation with safe_chars whitelist prevents injection attacks

✓ Process management prevents duplicate calculator instances

✓ No external network requests or data exfiltration

✓ No credential or sensitive file access

✓ Platform-specific implementations properly scoped

✓ Cross-platform support with appropriate tools per OS (gnome-calculator/Linux, osascript/macOS, PowerShell/Windows)

✓ No base64 encoding or obfuscation found

✓ Dependencies properly declared and pinned in package.json

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives