contextweave-diagrams 安全扫描报告 — 低风险 | ClawSafe

25 /100

contextweave-diagrams

AI-powered diagram and complex information visualization tool based on ContextWeave

This is a documentation-only skill with no implementation scripts, offering minimal attack surface but exhibiting a doc/code mismatch due to referenced scripts that don't exist in the package.

技能名称contextweave-diagrams

分析耗时139.4s

引擎pi

✓

可以安装

This skill should not be deployed until the implementation scripts (generate_contextweave.cjs, cw_client.cjs) are provided and reviewed. The SKILL.md references scripts that are absent from the package.

安全发现 2 项

严重性	安全发现	位置
中危	Referenced implementation scripts are absent 文档欺骗 SKILL.md extensively describes script execution flows (node scripts/generate_contextweave.cjs, cw_client.cjs) but the pre-scan confirms zero script files exist in the package. This creates a doc/code gap where the actual implementation cannot be security-reviewed. `node scripts/generate_contextweave.cjs --input_file "<absolute file path>"` → Do not deploy this skill until the referenced Node.js scripts are provided and reviewed. Request the full implementation before any security assessment can be completed.	`SKILL.md:1`
低危	Allowed tools declaration exceeds deliverable 权限提升 SKILL.md declares shell:WRITE (via node execution) and filesystem:READ/WRITE capabilities, but no scripts exist to exercise any of these permissions. The allowed tools are theoretical only. `node scripts/generate_contextweave.cjs --input_file "<absolute file path>"` → Align allowed tools declaration with actual deliverable, or provide the scripts that justify these permissions.	`SKILL.md:83`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`NONE`	✓ 一致	SKILL.md: reads input_file only, but scripts are absent
网络访问	`READ`	`NONE`	✓ 一致	SKILL.md: POSTs to CONTEXTWEAVE_API_URL only, but scripts are absent
命令执行	`WRITE`	`NONE`	✓ 一致	SKILL.md: runs 'node scripts/generate_contextweave.cjs', but scripts are absent
环境变量	`READ`	`NONE`	✓ 一致	SKILL.md: reads CONTEXTWEAVE_MCP_API_KEY and CONTEXTWEAVE_API_URL, but scripts a…

目录结构

1 文件 · 9.1 KB · 180 行

Markdown 1f · 180L

└─ 📝 SKILL.md Markdown 180L · 9.1 KB

安全亮点

✓ SKILL.md explicitly restricts backend to CONTEXTWEAVE_API_URL env var — no arbitrary network targets

✓ SKILL.md mandates credentials from env vars only — no local directory scanning for API keys

✓ SKILL.md requires absolute paths only for file operations — no relative path traversal risk

✓ SKILL.md restricts outbound data to only drawing-request-relevant payload

✓ No scripts, binary files, or sensitive files are present in the package — zero active malware surface

✓ No IOCs (IPs, domains, hashes) detected in the package