boris-workflow 安全扫描报告 — 可信 | ClawSafe

5 /100

boris-workflow

Parallel agent task runner for OpenClaw implementing the Boris Cherny multi-agent pattern

Documentation-only skill package with no executable code, scripts, or malicious content. The pre-scan flagged a false positive - the 'rm -rf ~' is actually 'rm -rf ~/.openclaw/...' removing only the skill installation directory.

技能名称boris-workflow

分析耗时32.4s

引擎pi

✓

可以安装

This skill is safe to use. The flagged shell command is a legitimate uninstall instruction, not a threat. No action required.

安全发现 1 项

严重性	安全发现	位置
提示	Documentation describes files not present in package 文档欺骗 CHANGELOG.md describes a file structure with bin/, lib/, webui/, etc., but only documentation files (SKILL.md, README.md, INSTALL.md, CHANGELOG.md, LICENSE.md, SKILL.json) are actually included. This is not malicious - it appears to be a documentation-only submission package. `File Structure: boris-workflow/ ├── bin/ │ └── boris-run` → If this skill is intended to be functional, the actual implementation files (bin/, lib/, webui/) are missing. If it's documentation-only, this is acceptable.	`CHANGELOG.md:57`

1 严重 7 项发现

💀

严重危险命令危险 Shell 命令

rm -rf ~

INSTALL.md:121

🔗

中危外部 URL 外部 URL

https://keepachangelog.com/en/1.0.0/

CHANGELOG.md:5

🔗

中危外部 URL 外部 URL

https://semver.org/spec/v2.0.0.html

CHANGELOG.md:6

🔗

中危外部 URL 外部 URL

https://discord.gg/openclaw

INSTALL.md:203

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/OpenClaw-Compatible-blue

README.md:5

🔗

中危外部 URL 外部 URL

https://openclaw.dev

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/license-MIT-green

README.md:6

目录结构

6 文件 · 34.0 KB · 1050 行

Markdown 5f · 920L JSON 1f · 130L

├─ 📝 CHANGELOG.md Markdown 171L · 5.4 KB

├─ 📝 INSTALL.md Markdown 203L · 3.5 KB

├─ 📝 LICENSE.md Markdown 32L · 1.4 KB

├─ 📝 README.md Markdown 257L · 10.0 KB

├─ 📋 SKILL.json JSON 130L · 3.6 KB

└─ 📝 SKILL.md Markdown 257L · 10.0 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`pyyaml`	`>=6.0`	pip	否	Version specified with minimum constraint
`requests`	`>=2.28.0`	pip	否	Version specified with minimum constraint

安全亮点

✓ No executable code present - only documentation files

✓ Standard MIT license included

✓ Clean dependency list (pyyaml, requests) with pinned minimum versions

✓ No credential harvesting or sensitive data access patterns

✓ No network exfiltration or C2 communication

✓ No obfuscation or base64-encoded payloads

✓ No hidden instructions in HTML comments or documentation

✓ No supply chain risks since no dependencies are actually executed