zeptoclaw
本页为离线静态分析自动生成;分数为信号驱动启发式,请结合证据与人工复核使用。
项目概况
- 名称:
zeptoclaw - 版本:
0.6.2 - Git HEAD:
8c13b6c5763f - 最近提交:
2026-03-05T12:34:14+08:00 - 许可证:
LICENSE - 语言: Rust(267), Markdown(56), TypeScript(26), YAML(14), JSON(10), Shell(7)
README 摘要
Ultra-lightweight personal AI assistant.
评分(0-10)
| 维度 | 分数 | 等级 |
|---|---|---|
| 代码质量 | 0.0 | 🔴 不足 |
| 可维护性 | 7.0 | 🔵 良好 |
| 健壮性 | 4.5 | 🟡 一般 |
| 可持续性 | 8.5 | 🟢 优秀 |
| 可迁移性 | 3.0 | 🟠 较弱 |
| 综合 | 4.6 | 🟡 一般 |
工程信号
CI / 测试
- CI: 5 个 workflow
.github/workflows/ci.yml,.github/workflows/docker.yml,.github/workflows/e2e.yml,.github/workflows/pr-hygiene.yml,.github/workflows/release.yml
- CI 操作系统: linux
- Docker: 有
- 测试信号:
dir:tests/
代码质量工具
- 校验库: rust:serde
安全与治理
- 安全文档: 有
- 安全扫描: file:.github/dependabot.yml
- 治理: dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
架构与发布
- 插件/Provider 结构: dir:src/plugins/, dir:src/providers/
- 发布信号: ci-file:.github/workflows/release.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/release.yml, rust:versioned-package
- 可观测性: rust:tracing
技术栈与依赖
- Rust: name=
zeptoclawcargo_lock=True- deps:
aho-corasick,anyhow,argon2,async-imap,async-trait,axum,base64,bcrypt,chacha20poly1305,chromiumoxide,chrono,clap,dirs,dotenvy,futures,gog-auth…
- deps:
评分依据(信号 → 证据)
代码质量
- +1.5 CI: 5 workflow(s) (3–5)
- +1 tests: 1 signal(s), density 0% (<5%)
- -1.5 high-density risky code patterns (30 hits)
- -1 many oversized files (31 files >1000 lines)
可维护性
- +1 README present
- +1 docs dirs: docs/
- +1 CHANGELOG present
- +2 strong governance (3 signals): dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
- +1 Cargo.lock present
- +1 CI present
健壮性
- +1.5 tests present (density 0%)
- +1 config signals: dir:docs/
- +1 security docs present
- +1 validation libs: rust:serde
- +0.5 retry/timeout libs (signals): rust:reqwest, rust:tokio
- +1 CI present
- -1.5 high-density risky code patterns (30 hits)
可持续性
- +1 license present
- +1 version: 0.6.2
- +1 CHANGELOG present
- +0.5 security docs present
- +0.5 alerting/observability (signals): rust:tracing
- +1 security scans: file:.github/dependabot.yml
- +1 release signals: ci-file:.github/workflows/release.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/release.yml, rust:versioned-package
- +0.5 tags: 15 tag(s)
- +2 very recent commit (≤7d)
可迁移性
- +2 Docker present
- +1 plugin/provider structure (signals): dir:src/plugins/, dir:src/providers/
安全与风险信号(静态扫描)
疑似凭据(已编辑)
Slack Tokenatlanding/r8r/docs/src/content/docs/reference/environment.md:92value=***已编辑***AWS Access Keyatsrc/config/mod.rs:2086value=***已编辑***AWS Access Keyatsrc/config/mod.rs:2102value=***已编辑***Slack Tokenatsrc/cli/secrets.rs:398value=***已编辑***OpenAI Keyatsrc/safety/taint.rs:498value=***已编辑***OpenAI Keyatsrc/safety/taint.rs:536value=***已编辑***OpenAI Keyatsrc/safety/taint.rs:690value=***已编辑***AWS Access Keyatsrc/safety/taint.rs:704value=***已编辑***OpenAI Keyatsrc/safety/taint.rs:724value=***已编辑***OpenAI Keyatsrc/safety/mod.rs:351value=***已编辑***- …及其余 21 条(详见原始 JSON)
高风险模式(需人工复核)
curl|bash (code)atlanding/zeptoclaw/index.html:1495curl|bash (code)atlanding/zeptoclaw/index.html:1522curl|bash (code)atdeploy/setup.sh:5curl|bash (code)atdeploy/setup.sh:6curl|bash (code)atdeploy/setup.sh:70curl|bash (code)atdeploy/setup.sh:71curl|bash (code)atdeploy/setup.sh:81curl|bash (code)atdeploy/setup.sh:84curl|bash (code)atdeploy/setup.sh:246curl|bash (code)atsrc/security/shell.rs:109- …及其余 20 条 code 类
- 文档中的风险模式:14 条(
curl|bash等安装指引,通常为预期行为) curl|bash (config)atdeploy/fly.toml:4
改进建议
- 在 CI 中启用 Rust 静态检查:
cargo fmt --check+cargo clippy -D warnings。 - 审计高风险执行路径(
eval/exec/shell=True/curl|bash等):最小权限、输入验证、隔离执行。