📦
Historial de auditorías
appflowy-api - 2 auditorías
Versión de auditoría 2
Más reciente Riesgo medioJun 28, 2026, 02:00 PM
Static analysis found many command, network, environment, filesystem, and heuristic hits. Review found no prompt injection or confirmed malicious intent, but the skill legitimately handles credentials, makes authenticated AppFlowy requests, and can mutate or delete workspace content. Publish with clear warnings for trusted self-hosted environments and careful credential handling.
40
Archivos escaneados
3,944
Líneas analizadas
11
hallazgos
codex
Auditado por
Problemas de riesgo medio (3)
scripts/appflowy_client.py:122-149scripts/appflowy_client.py:165-174scripts/appflowy_client.py:176-235references/config.example.json:2-3
Authenticated AppFlowy Network Operations
TRUE_POSITIVE. The skill sends credentials to a configured GoTrue endpoint and sends bearer-token requests to AppFlowy workspace, document, database, and row endpoints. This is expected for the skill, but a wrong base URL or exposed token could affect private workspace data.
scripts/apply_grid_template.py:86-106scripts/apply_grid_template.py:157-190scripts/update_user_management_doc.py:577-581scripts/collab_delete_blocks.mjs:90-134
Workspace Content Mutation and Deletion
TRUE_POSITIVE. The skill can create page views, append blocks, upsert rows, repair collab state, and delete document blocks or row orders. These operations are legitimate but can cause data loss if run against the wrong workspace or with an unsafe template.
scripts/appflowy_client.py:30-44scripts/_common.py:25-63scripts/_common.py:78-86scripts/get_token.py:7-19
Credential and Local Payload Handling
TRUE_POSITIVE. The scripts can read optional .env files, config files, and JSON payload files, then use credentials or tokens for API calls. This is normal for API tooling, but users must avoid untrusted files and protect token output.
Problemas de riesgo bajo (3)
scripts/appflowy_skill.py:29-35scripts/doc_grid_lib.py:311-317scripts/doc_grid_lib.py:348-354scripts/doc_grid_lib.py:383-389
Constrained Subprocess Use
FALSE_POSITIVE for command injection. subprocess.run invokes Python or Node with local script paths selected from fixed command maps, and user arguments are passed as argument arrays. This still requires Node and local dependency trust.
Hardcoded Private Example Endpoint
TRUE_POSITIVE but low severity. The documentation and sample config include a private IP address for AppFlowy and GoTrue examples. It is not a public exfiltration endpoint, but users should replace it before running commands.
Static Heuristic False Positives
FALSE_POSITIVE. Weak-crypto, obfuscation, and reconnaissance hits appear to come from descriptions, metadata, endpoint references, non-English text, and normal API troubleshooting text. No prompt injection attempt or encoded payload was found in the reviewed files.
Factores de riesgo
⚡ Contiene scripts (4)
🌐 Acceso a red (4)
🔑 Variables de entorno (4)
📁 Acceso al sistema de archivos (4)
Patrones detectados
Network Requests With Bearer TokensOpt-In Environment File ReadingLocal Script Execution for Collab UpdatesDestructive Collab State Editing
Versión de auditoría 1
Riesgo bajoFeb 28, 2026, 12:58 PM
Evaluated 314 static findings across 42 files. All detected patterns are false positives: external commands are legitimate subprocess calls to trusted local Node.js scripts for Y.js CRDT processing; network access is for AppFlowy API calls to user-controlled endpoints; environment file access is opt-in only via explicit --env flag; filesystem operations are for reading stdin and template files. No evidence of malicious intent, data exfiltration, or unauthorized access. This is a legitimate API client toolkit for self-hosted AppFlowy automation.
42
Archivos escaneados
4,016
Líneas analizadas
10
hallazgos
claude
Auditado por
Problemas de riesgo medio (2)
scripts/appflowy_skill.py:35scripts/doc_grid_lib.py:311-317scripts/doc_grid_lib.py:348-354scripts/doc_grid_lib.py:383-389
Subprocess Execution Without Input Sanitization
Python subprocess.run() calls execute Node.js scripts with JSON input via stdin. While input is structured JSON, there is no explicit validation of payload structure before passing to external process. Risk is mitigated by controlled script paths and local-only execution.
Opt-In Environment File Access
The skill reads .env files only when explicitly invoked with --env <path> flag. This is documented behavior but users should be aware that passing --env will load environment variables from the specified file.
Problemas de riesgo bajo (4)
Bash Code Examples in Documentation
Markdown documentation files contain shell command examples using backticks. These are documentation examples, not executable code. No security risk.
Hardcoded URLs in Documentation
Documentation and example config files contain hardcoded URLs including internal IP addresses (10.60.0.189). These are examples for self-hosted deployments and do not represent external network calls to untrusted endpoints.
scripts/collab_delete_blocks.mjs:1-50scripts/collab_delete_row_orders.mjs:1-50scripts/collab_update_select_options.mjs:1-50
Y.js CRDT Processing via Node.js
Node.js scripts use Y.js library to process collaborative document state (CRDT operations). The 'weak cryptographic algorithm' alerts are false positives from the static scanner; Y.js uses standard encoding for update vectors, not encryption.
Standard Python Environment Variable Access
Code reads configuration from os.environ for APPFLOWY_BASE_URL, API_EXTERNAL_URL, etc. This is standard Python practice for configuration management.
Factores de riesgo
⚙️ Comandos externos (4)
🌐 Acceso a red (4)
🔑 Variables de entorno (3)
📁 Acceso al sistema de archivos (3)
Patrones detectados
Subprocess Execution PatternNetwork Requests to User-Controlled Endpoints