todo 安全扫描报告 — 低风险 | ClawSafe

20 /100

todo

Manage todo lists in PostgreSQL. Per-agent lists, optional categories, priorities, due dates.

This is a legitimate PostgreSQL-backed todo management CLI with filesystem access for .env loading and file migration that is not declared in SKILL.md.

技能名称todo

分析耗时44.0s

引擎pi

✓

可以安装

Add explicit filesystem:READ and filesystem:WRITE declarations to SKILL.md for the .env loading and migrate features. Consider pinning psycopg2-binary to a specific version.

安全发现 4 项

严重性	安全发现	位置
低危	Undeclared .env file reading 文档欺骗 get_db_config() silently loads and parses a .env file in the skill directory without declaring filesystem:READ in SKILL.md. This is benign but undocumented. `for line in env_file.read_text().splitlines():` → Declare filesystem:READ in SKILL.md allowed-tools if .env loading is intentional, or remove this fallback and rely solely on environment variables.	`scripts/todo_cli.py:53`
低危	Undeclared filesystem write/delete via migrate 文档欺骗 The migrate --action import-delete command deletes source files after import. This filesystem:WRITE capability is not declared in SKILL.md, though it is briefly mentioned in the migration warning section. `fpath.unlink()` → Ensure filesystem:WRITE is declared in SKILL.md's allowed-tools if file deletion is part of the skill contract. Consider requiring explicit confirmation before destructive file operations.	`scripts/todo_cli.py:619`
低危	Workspace path derived from environment or home directory 敏感访问 cmd_migrate_check and cmd_migrate use Path.home() / '.openclaw' / 'workspace-researcher' as a fallback workspace, which resolves to a path under the user's home directory. This is acceptable but worth noting. `str(Path.home() / ".openclaw" / "workspace-researcher")` → Document the workspace path expectation in SKILL.md or make it configurable via an explicit env var without falling back to hardcoded paths under ~.	`scripts/todo_cli.py:596`
提示	Unpinned psycopg2-binary dependency 供应链 SKILL.md instructs users to 'pip install psycopg2-binary' with no version constraint, allowing any version to be pulled at install time. `pip install psycopg2-binary` → Pin to a specific version, e.g., pip install psycopg2-binary==2.9.9, to prevent unexpected updates.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✗ 越权	scripts/todo_cli.py:53 — reads .env file from disk
文件系统	`NONE`	`WRITE`	✗ 越权	scripts/todo_cli.py:619 — fpath.unlink() deletes source file after migrate
数据库	`READ`	`WRITE`	✓ 一致	todo_cli.py — SELECT, INSERT, UPDATE, DELETE on todo tables; required for todo m…
网络访问	`NONE`	`NONE`	—	No outbound network calls; only local PostgreSQL connection via psycopg2
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell command execution found
环境变量	`NONE`	`READ`	✓ 一致	os.environ.get(...) for TODO_DB_* vars — documented and necessary for DB connect…

目录结构

6 文件 · 50.5 KB · 1494 行

Python 1f · 1023L Markdown 4f · 466L JSON 1f · 5L

├─ ▾ 📁 references

│ ├─ 📝 cli.md Markdown 217L · 5.7 KB

│ └─ 📝 schema.md Markdown 64L · 2.3 KB

├─ ▾ 📁 scripts

│ └─ 🐍 todo_cli.py Python 1023L · 34.8 KB

├─ 📋 _meta.json JSON 5L · 128 B

├─ 📝 CHANGELOG.md Markdown 50L · 2.0 KB

└─ 📝 SKILL.md Markdown 135L · 5.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`psycopg2-binary`	`*`	pip	否	Version not pinned — any version will be installed

安全亮点

✓ No obfuscation: no base64, eval(), or anti-analysis patterns detected

✓ No credential exfiltration: database password is used only for local PostgreSQL connection

✓ No remote code execution: no subprocess, os.system, or shell commands

✓ No network exfiltration: no outbound HTTP/WebSocket/C2 calls

✓ SQL injection mitigated via parameterized queries (psycopg2 %s placeholders)

✓ Cross-agent access is logged to todo_access_log table

✓ File deletion in migrate is workspace-scoped (fpath.relative_to(workspace) check prevents path traversal)

✓ No sensitive hardcoded secrets or embedded credentials

✓ Well-structured code with clear separation of concerns