skill-factory Security Report — Trusted | ClawSafe

5 /100

skill-factory

Build and publish OpenClaw skills from recurring pain points

Skill Factory 是用于从痛点构建和发布 OpenClaw 技能的合法工具，代码行为与文档描述一致，无恶意特征。

Skill Nameskill-factory

Duration36.8s

Enginepi

✓

Safe to install

该技能可安全使用。建议修复硬编码路径以提高跨平台兼容性。

Findings 2 items

Severity	Finding	Location
Low	硬编码系统路径可能影响可用性 Supply Chain package_skill.py 使用绝对路径 /opt/homebrew/lib/node_modules/...，在非 macOS Homebrew 环境可能找不到 `python3 /opt/homebrew/lib/node_modules/openclaw/skills/skill-creator/scripts/package_skill.py` → 考虑使用动态路径解析或要求环境变量指定	`scripts/factory.js:209`
Low	npx 调用无版本锁定 Supply Chain 使用 npx clawhub@latest 而非固定版本，存在依赖更新风险 `npx clawhub@latest publish` → 建议锁定具体版本号	`scripts/factory.js:217`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	scripts/factory.js:54-56 读取 .learnings/ 文件
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/factory.js:84-98 创建 skill 目录和 .factory-prompt.md
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/factory.js:209-217 execSync 调用 package_skill.py 和 clawhub publish
Network	`READ`	`READ`	✓ Aligned	SKILL.md 声明 publish 到 ClawHub，代码实现一致

2 files · 11.4 KB · 380 lines

JavaScript 1f · 274L Markdown 1f · 106L

├─ ▾ 📁 scripts

│ └─ 📜 factory.js JavaScript 274L · 8.2 KB

└─ 📝 SKILL.md Markdown 106L · 3.2 KB

Package	Version	Source	Known Vulns	Notes
`clawhub`	`latest`	npm (npx)	No	无版本锁定，通过 npx 动态下载
`openclaw`	`unknown`	system (hardcoded path)	No	依赖系统安装的 openclaw 包

✓ 文档与代码行为完全一致，无阴影功能

✓ 无凭证收割、base64 编码或远程 shell 等高危模式

✓ 文件操作限定在 workspace 目录内，符合权限最小化原则

✓ slugify 函数对用户输入进行了清理，防止路径遍历

✓ 错误处理完善，退出码符合文档声明