calculator-chat 安全扫描报告 — 可信 | ClawSafe

5 /100

calculator-chat

用计算器数字回应用户。当用户发送 /calc-chat 或表达情感时，在系统计算器上显示对应数字

A legitimate calculator automation skill that translates text phrases into calculator number displays using platform-specific system commands.

技能名称calculator-chat

分析耗时40.6s

引擎pi

✓

可以安装

This skill is safe to use. Consider adding explicit documentation about subprocess usage for transparency.

安全发现 1 项

严重性	安全发现	位置
低危	Eval security reference misaligned 文档欺骗 SKILL.md mentions '使用受限的 eval 命名空间' but this only applies to the calculator.py GUI component, not the main entry point flow `计算安全：使用受限的 eval 命名空间` → Clarify that restricted eval only applies to the GUI calculator component	`SKILL.md:28`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	src/index.js:11 - execSync/spawn for calculator launch
文件系统	`NONE`	`READ`	✓ 一致	src/platform/windows.js:20 - reads require.main.filename only
网络访问	`NONE`	`NONE`	—	No network code found
环境变量	`NONE`	`READ`	✓ 一致	DISPLAY env var set for VM support, documented
技能调用	`NONE`	`NONE`	—	No recursive skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

13 文件 · 34.2 KB · 1388 行

Markdown 3f · 569L Python 3f · 399L JavaScript 4f · 361L JSON 3f · 59L

├─ ▾ 📁 docs

│ └─ ▾ 📁 plans

│ ├─ 📝 2026-03-08-calculator-chat-skill-design.md Markdown 104L · 2.6 KB

│ └─ 📝 2026-03-08-calculator-chat-skill-implementation-plan.md Markdown 405L · 8.5 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 platform

│ │ ├─ 📜 linux.js JavaScript 49L · 1.4 KB

│ │ ├─ 📜 macos.js JavaScript 39L · 979 B

│ │ └─ 📜 windows.js JavaScript 91L · 2.3 KB

│ ├─ 🐍 calculator.py Python 244L · 7.0 KB

│ ├─ 📜 index.js JavaScript 182L · 4.9 KB

│ ├─ 🐍 open_calc.py Python 99L · 2.6 KB

│ └─ 🐍 show_calc.py Python 56L · 1.5 KB

├─ 📋 mapping.json JSON 10L · 176 B

├─ 📋 package-lock.json JSON 16L · 277 B

├─ 📋 package.json JSON 33L · 657 B

└─ 📝 SKILL.md Markdown 60L · 1.4 KB

包名	版本	来源	已知漏洞	备注
`node`	`>=14.0.0`	system	否	Runtime requirement, already standard
`python3`	`*`	system	否	Optional fallback, only for gnome-calculator invocation
`gnome-calculator`	`*`	system	否	Required binary on Linux only

✓ Input validation with safe_chars whitelist prevents injection attacks

✓ Process management prevents duplicate calculator instances

✓ No external network requests or data exfiltration

✓ No credential or sensitive file access

✓ Platform-specific implementations properly scoped

✓ Cross-platform support with appropriate tools per OS (gnome-calculator/Linux, osascript/macOS, PowerShell/Windows)

✓ No base64 encoding or obfuscation found

✓ Dependencies properly declared and pinned in package.json