Skip to content

zeptoclaw

本页为离线静态分析自动生成;分数为信号驱动启发式,请结合证据与人工复核使用。

项目概况

  • 名称: zeptoclaw
  • 版本: 0.5.5
  • Git HEAD: f8eab053e974
  • 最近提交: 2026-02-24T12:09:06+08:00
  • 许可证: LICENSE
  • 语言: Rust(213), Markdown(51), YAML(12), Shell(7), JSON(6), TOML(6)

README 摘要

Ultra-lightweight personal AI assistant.

评分(0-10)

维度分数
代码质量3.5
可维护性6.5
健壮性5.5
可持续性8.0
可迁移性3.0
综合5.3

工程信号

CI / 测试

  • CI: 5 个 workflow
    • .github/workflows/ci.yml, .github/workflows/docker.yml, .github/workflows/e2e.yml, .github/workflows/pr-hygiene.yml, .github/workflows/release.yml
  • CI 操作系统: linux
  • Docker: 有
  • 测试信号: dir:tests/

代码质量工具

  • 校验库: rust:serde

安全与治理

  • 安全文档: 有
  • 治理: dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md

架构与发布

  • 插件/Provider 结构: dir:src/plugins/, dir:src/providers/
  • 发布信号: ci-file:.github/workflows/release.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/release.yml, rust:versioned-package
  • 可观测性: rust:tracing

技术栈与依赖

  • Rust: name=zeptoclaw cargo_lock=True
    • deps: aho-corasick, anyhow, argon2, async-imap, async-trait, base64, chacha20poly1305, chromiumoxide, chrono, clap, dirs, dotenvy, futures, hex, instant-distance, json5

评分依据(信号 → 证据)

代码质量

  • +2 CI: 5 workflow(s)
  • +2.5 tests: 1 signal(s)
  • -1 risky code patterns present (review needed)

可维护性

  • +1 README present
  • +1 docs dirs: docs/
  • +1 CHANGELOG present
  • +1.5 governance: dir:.github/ISSUE_TEMPLATE/, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
  • +1 Cargo.lock present
  • +1 CI present

健壮性

  • +2 tests present
  • +1 config signals: dir:docs/
  • +1 security docs present
  • +1 validation libs: rust:serde
  • +0.5 retry/timeout libs (signals): rust:reqwest, rust:tokio
  • +1 CI present
  • -1 risky code patterns present (review needed)

可持续性

  • +1 license present
  • +1 version: 0.5.5
  • +1 CHANGELOG present
  • +0.5 security docs present
  • +0.5 alerting/observability (signals): rust:tracing
  • +1 release signals: ci-file:.github/workflows/release.yml, ci:release:.github/workflows/ci.yml, ci:release:.github/workflows/release.yml, rust:versioned-package
  • +1 tags: 9 tag(s)
  • +2 recent commit (≤30d)

可迁移性

  • +2 Docker present
  • +1 plugin/provider structure (signals): dir:src/plugins/, dir:src/providers/

安全与风险信号(静态扫描)

疑似凭据(已编辑)

  • Slack Token at landing/r8r/docs/src/content/docs/reference/environment.md:92 value=***已编辑***
  • Slack Token at src/cli/secrets.rs:398 value=***已编辑***
  • OpenAI Key at src/safety/mod.rs:327 value=***已编辑***
  • OpenAI Key at src/safety/mod.rs:335 value=***已编辑***
  • OpenAI Key at src/safety/mod.rs:398 value=***已编辑***
  • OpenAI Key at src/safety/leak_detector.rs:12 value=***已编辑***
  • OpenAI Key at src/safety/leak_detector.rs:16 value=***已编辑***
  • OpenAI Key at src/safety/leak_detector.rs:250 value=***已编辑***
  • AWS Access Key at src/safety/leak_detector.rs:277 value=***已编辑***
  • GitHub PAT at src/safety/leak_detector.rs:287 value=***已编辑***
  • …及其余 14 条(详见原始 JSON)

高风险模式(需人工复核)

  • curl|bash (code) at landing/zeptoclaw/index.html:1495
  • curl|bash (code) at landing/zeptoclaw/index.html:1522
  • curl|bash (code) at deploy/setup.sh:5
  • curl|bash (code) at deploy/setup.sh:6
  • curl|bash (code) at deploy/setup.sh:70
  • curl|bash (code) at deploy/setup.sh:71
  • curl|bash (code) at deploy/setup.sh:81
  • curl|bash (code) at deploy/setup.sh:84
  • curl|bash (code) at deploy/setup.sh:246
  • curl|bash (code) at src/security/shell.rs:20
  • …及其余 12 条 code 类
  • 文档中的风险模式:14 条(curl|bash 等安装指引,通常为预期行为)
  • curl|bash (config) at deploy/fly.toml:4

改进建议

  • 在 CI 中启用 Rust 静态检查:cargo fmt --check + cargo clippy -D warnings
  • 在 CI 增加安全扫描(依赖审计/secret 扫描/静态分析等)并设为质量闸门。
  • 审计高风险执行路径(eval/exec/shell=True/curl|bash 等):最小权限、输入验证、隔离执行。

离线静态分析 · 信号驱动启发式评分 · 不使用外部平台指标