math-arithmetic-ocr 安全扫描报告 — 低风险 | ClawSafe

15 /100

math-arithmetic-ocr

腾讯云算式识别 Skill for OpenClaw - OCR for math equations

A legitimate Tencent Cloud ArithmeticOCR integration with accurate documentation, no hidden functionality, and standard credential handling for API authentication.

技能名称math-arithmetic-ocr

分析耗时26.6s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning axios version to ^1.6.0 in package.json to reduce supply chain risk.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned dependency version 供应链 axios dependency uses caret range ^1.6.0 without exact version pinning, which could lead to unexpected updates `"axios": "^1.6.0"` → Change to "axios": "1.6.0" for reproducible builds	`package.json:9`
提示	Potential over-declaration of file.read permission 文档欺骗 SKILL.md and plugin.json declare file.read permission, but code analysis shows only imageBase64/imageUrl are accepted as inputs. Local file reading is not implemented. `"permissions": ["network.request", "file.read"]` → Remove file.read from declared permissions if not needed	`plugin.json:34`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	index.js:103 - axios POST to https://ocr.tencentcloudapi.com
文件系统	`READ`	`NONE`	✓ 一致	plugin.json declares file.read but code only accepts imageBase64/imageUrl parame…
环境变量	`NONE`	`READ`	✓ 一致	index.js:138-139 reads TENCENTCLOUD_SECRET_ID/KEY for API authentication only
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution detected

1 项发现

🔗

中危外部 URL 外部 URL

https://ocr.tencentcloudapi.com

index.js:103

目录结构

4 文件 · 10.1 KB · 332 行

JavaScript 1f · 203L Markdown 1f · 73L JSON 2f · 56L

├─ 📜 index.js JavaScript 203L · 6.1 KB

├─ 📋 package.json JSON 12L · 237 B

├─ 📋 plugin.json JSON 44L · 1.4 KB

└─ 📝 SKILL.md Markdown 73L · 2.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.6.0`	npm	否	Version not pinned to exact release

安全亮点

✓ No shell execution or command injection vulnerabilities

✓ No data exfiltration or C2 communication patterns

✓ No obfuscation or base64-encoded payloads

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ Credential handling is appropriate - keys used only for local API signing

✓ Documentation accurately describes implementation behavior

✓ Clear and focused functionality (math OCR only)

✓ No reverse shell, backdoor, or persistence mechanisms

✓ Legitimate Tencent Cloud API endpoint (ocr.tencentcloudapi.com)