card-profile-recommend 安全扫描报告 — 可信 | ClawSafe

5 /100

card-profile-recommend

Analyze a multi-card portfolio — grade each card (MVP / Keep / Consider Dropping), recommend 2–3 new additions with churning strategy, apply issuer rules (Chase 5/24, Amex lifetime bonus, Citi 8/65), and sequence applications to maximize signup bonuses.

A legitimate credit card portfolio recommendation skill that uses the Brave Search API for card research, with fully declared capabilities and no hidden behavior.

技能名称card-profile-recommend

分析耗时24.3s

引擎pi

✓

可以安装

This skill is safe to use. All network calls are to the declared Brave Search API and issuer domains, no credential exfiltration, no shell execution beyond curl for fetching.

安全发现 1 项

严重性	安全发现	位置
低危	BRAVE_API_KEY declared with minimal version scoping detail 文档欺骗 The metadata declares env:BRAVE_API_KEY as a required variable but does not specify version pinning or security guidance. This is a minor documentation issue without security impact. `env: - BRAVE_API_KEY` → Consider adding version guidance for the API key or scoping to a specific environment variable convention.	`SKILL.md:6`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:51 — curl to api.search.brave.com
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:51 — curl command usage declared
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:6 — requires BRAVE_API_KEY env var
文件系统	`NONE`	`NONE`	—	No file operations found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser tool usage found
数据库	`NONE`	`NONE`	—	No database access found
技能调用	`NONE`	`NONE`	—	No cross-skill invocation found

1 项发现

🔗

中危外部 URL 外部 URL

https://api.search.brave.com/res/v1/web/search?q=CARD+NAME+benefits+credits+annual+fee&count=10

SKILL.md:78

目录结构

1 文件 · 9.0 KB · 219 行

Markdown 1f · 219L

└─ 📝 SKILL.md Markdown 219L · 9.0 KB

安全亮点

✓ All network access is explicitly declared and limited to Brave Search API and known issuer domains

✓ No shell execution beyond documented curl commands for web fetching

✓ No filesystem, clipboard, or database access — fully scoped to read-only research

✓ No credential harvesting or exfiltration of user credentials

✓ No obfuscated code, base64 payloads, or anti-analysis techniques

✓ No supply chain dependencies that could introduce malicious code

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ SKILL.md is thorough and accurately reflects implementation behavior