📦
감사 이력
appflowy-api - 2 감사
감사 버전 2
최신 중간 위험Jun 28, 2026, 02:00 PM
Static analysis found many command, network, environment, filesystem, and heuristic hits. Review found no prompt injection or confirmed malicious intent, but the skill legitimately handles credentials, makes authenticated AppFlowy requests, and can mutate or delete workspace content. Publish with clear warnings for trusted self-hosted environments and careful credential handling.
40
스캔된 파일
3,944
분석된 줄 수
11
발견 사항
codex
감사자
중간 위험 문제 (3)
scripts/appflowy_client.py:122-149scripts/appflowy_client.py:165-174scripts/appflowy_client.py:176-235references/config.example.json:2-3
Authenticated AppFlowy Network Operations
TRUE_POSITIVE. The skill sends credentials to a configured GoTrue endpoint and sends bearer-token requests to AppFlowy workspace, document, database, and row endpoints. This is expected for the skill, but a wrong base URL or exposed token could affect private workspace data.
scripts/apply_grid_template.py:86-106scripts/apply_grid_template.py:157-190scripts/update_user_management_doc.py:577-581scripts/collab_delete_blocks.mjs:90-134
Workspace Content Mutation and Deletion
TRUE_POSITIVE. The skill can create page views, append blocks, upsert rows, repair collab state, and delete document blocks or row orders. These operations are legitimate but can cause data loss if run against the wrong workspace or with an unsafe template.
scripts/appflowy_client.py:30-44scripts/_common.py:25-63scripts/_common.py:78-86scripts/get_token.py:7-19
Credential and Local Payload Handling
TRUE_POSITIVE. The scripts can read optional .env files, config files, and JSON payload files, then use credentials or tokens for API calls. This is normal for API tooling, but users must avoid untrusted files and protect token output.
낮은 위험 문제 (3)
scripts/appflowy_skill.py:29-35scripts/doc_grid_lib.py:311-317scripts/doc_grid_lib.py:348-354scripts/doc_grid_lib.py:383-389
Constrained Subprocess Use
FALSE_POSITIVE for command injection. subprocess.run invokes Python or Node with local script paths selected from fixed command maps, and user arguments are passed as argument arrays. This still requires Node and local dependency trust.
Hardcoded Private Example Endpoint
TRUE_POSITIVE but low severity. The documentation and sample config include a private IP address for AppFlowy and GoTrue examples. It is not a public exfiltration endpoint, but users should replace it before running commands.
Static Heuristic False Positives
FALSE_POSITIVE. Weak-crypto, obfuscation, and reconnaissance hits appear to come from descriptions, metadata, endpoint references, non-English text, and normal API troubleshooting text. No prompt injection attempt or encoded payload was found in the reviewed files.
위험 요인
⚡ 스크립트 포함 (4)
🌐 네트워크 접근 (4)
🔑 환경 변수 (4)
📁 파일 시스템 접근 (4)
감지된 패턴
Network Requests With Bearer TokensOpt-In Environment File ReadingLocal Script Execution for Collab UpdatesDestructive Collab State Editing
감사 버전 1
낮은 위험Feb 28, 2026, 12:58 PM
Evaluated 314 static findings across 42 files. All detected patterns are false positives: external commands are legitimate subprocess calls to trusted local Node.js scripts for Y.js CRDT processing; network access is for AppFlowy API calls to user-controlled endpoints; environment file access is opt-in only via explicit --env flag; filesystem operations are for reading stdin and template files. No evidence of malicious intent, data exfiltration, or unauthorized access. This is a legitimate API client toolkit for self-hosted AppFlowy automation.
42
스캔된 파일
4,016
분석된 줄 수
10
발견 사항
claude
감사자
중간 위험 문제 (2)
scripts/appflowy_skill.py:35scripts/doc_grid_lib.py:311-317scripts/doc_grid_lib.py:348-354scripts/doc_grid_lib.py:383-389
Subprocess Execution Without Input Sanitization
Python subprocess.run() calls execute Node.js scripts with JSON input via stdin. While input is structured JSON, there is no explicit validation of payload structure before passing to external process. Risk is mitigated by controlled script paths and local-only execution.
Opt-In Environment File Access
The skill reads .env files only when explicitly invoked with --env <path> flag. This is documented behavior but users should be aware that passing --env will load environment variables from the specified file.
낮은 위험 문제 (4)
Bash Code Examples in Documentation
Markdown documentation files contain shell command examples using backticks. These are documentation examples, not executable code. No security risk.
Hardcoded URLs in Documentation
Documentation and example config files contain hardcoded URLs including internal IP addresses (10.60.0.189). These are examples for self-hosted deployments and do not represent external network calls to untrusted endpoints.
scripts/collab_delete_blocks.mjs:1-50scripts/collab_delete_row_orders.mjs:1-50scripts/collab_update_select_options.mjs:1-50
Y.js CRDT Processing via Node.js
Node.js scripts use Y.js library to process collaborative document state (CRDT operations). The 'weak cryptographic algorithm' alerts are false positives from the static scanner; Y.js uses standard encoding for update vectors, not encryption.
Standard Python Environment Variable Access
Code reads configuration from os.environ for APPFLOWY_BASE_URL, API_EXTERNAL_URL, etc. This is standard Python practice for configuration management.
위험 요인
⚙️ 외부 명령어 (4)
🌐 네트워크 접근 (4)
감지된 패턴
Subprocess Execution PatternNetwork Requests to User-Controlled Endpoints