中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:23 hr ago Rescan
5 /100
boris-workflow
Parallel agent task runner for OpenClaw implementing the Boris Cherny multi-agent pattern
Documentation-only skill package with no executable code, scripts, or malicious content. The pre-scan flagged a false positive - the 'rm -rf ~' is actually 'rm -rf ~/.openclaw/...' removing only the skill installation directory.
Skill Nameboris-workflow
Duration32.4s
Enginepi
Safe to install
This skill is safe to use. The flagged shell command is a legitimate uninstall instruction, not a threat. No action required.

Findings 1 items

Severity Finding Location
Info
Documentation describes files not present in package Doc Mismatch
CHANGELOG.md describes a file structure with bin/, lib/, webui/, etc., but only documentation files (SKILL.md, README.md, INSTALL.md, CHANGELOG.md, LICENSE.md, SKILL.json) are actually included. This is not malicious - it appears to be a documentation-only submission package.
File Structure: boris-workflow/ ├── bin/ │   └── boris-run
→ If this skill is intended to be functional, the actual implementation files (bin/, lib/, webui/) are missing. If it's documentation-only, this is acceptable.
 CHANGELOG.md:57
1 Critical 7 findings
💀
Critical Dangerous Command 危险 Shell 命令
rm -rf ~
INSTALL.md:121
🔗
Medium External URL 外部 URL
https://keepachangelog.com/en/1.0.0/
CHANGELOG.md:5
🔗
Medium External URL 外部 URL
https://semver.org/spec/v2.0.0.html
CHANGELOG.md:6
🔗
Medium External URL 外部 URL
https://discord.gg/openclaw
INSTALL.md:203
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/OpenClaw-Compatible-blue
README.md:5
🔗
Medium External URL 外部 URL
https://openclaw.dev
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/license-MIT-green
README.md:6

File Tree

6 files · 34.0 KB · 1050 lines
Markdown 5f · 920L JSON 1f · 130L
├─ 📝 CHANGELOG.md Markdown 171L · 5.4 KB
├─ 📝 INSTALL.md Markdown 203L · 3.5 KB
├─ 📝 LICENSE.md Markdown 32L · 1.4 KB
├─ 📝 README.md Markdown 257L · 10.0 KB
├─ 📋 SKILL.json JSON 130L · 3.6 KB
└─ 📝 SKILL.md Markdown 257L · 10.0 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
pyyaml >=6.0 pip No Version specified with minimum constraint
requests >=2.28.0 pip No Version specified with minimum constraint

Security Positives

✓ No executable code present - only documentation files
✓ Standard MIT license included
✓ Clean dependency list (pyyaml, requests) with pinned minimum versions
✓ No credential harvesting or sensitive data access patterns
✓ No network exfiltration or C2 communication
✓ No obfuscation or base64-encoded payloads
✓ No hidden instructions in HTML comments or documentation
✓ No supply chain risks since no dependencies are actually executed