安全决策报告

ai-customer-service-automation

Name: ai-customer-service-automation 可信度判断报告
Item: ai-customer-service-automation
Rating: 60
Author: ClawSafe

The skill declares extensive AI automation capabilities but contains no actual implementation code—the only files are documentation (SKILL.md) and a package.json referencing a non-existent index.js entry point.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 2

IOC 1

越权项 0

发现 2

为什么得出这个结论

0/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

复核

隐藏执行与外联

提取到 1 个一般风险产物，需要结合上下文判断。

通过

攻击链与高危发现

没有形成明确的恶意路径。

复核

依赖与供应链卫生

没有完整依赖信息，供应链判断需要保留弹性。

风险分是怎么被拉高的

Doc-to-code mismatch - declared but not implemented +25

SKILL.md claims AI automation, sentiment analysis, ticket systems, multi-channel support but no actual code exists

Missing implementation file +10

package.json declares main: 'index.js' but the file does not exist in the package

Marketing material posing as documentation +5

SKILL.md is 80% marketing content (pricing, ROI, testimonials) with no technical implementation details

最关键的证据

中危文档欺骗

Declared functionality has no implementation

SKILL.md claims AI-powered features (sentiment analysis, ticket systems, knowledge base sync, multi-channel support) but no source code, scripts, or entry point exists. The only declared entry 'index.js' referenced in package.json is missing.

SKILL.md:1

Request source code before using. This appears to be a documentation-only stub or marketing material.

低危文档欺骗

Marketing content masquerading as technical documentation

SKILL.md contains pricing tables, ROI calculations, customer testimonials, and sales copy. A legitimate skill would include actual code examples, API documentation, or technical implementation details.

SKILL.md:1

Verify the skill contains actual implementation before treating as a functional tool.

声明能力 vs 实际能力

文件系统 通过

声明 NONE

→

推断 NONE

No code files present

网络访问 通过

声明 NONE

→

推断 NONE

No code files present

命令执行 通过

声明 NONE

→

推断 NONE

No scripts/entry points exist

环境变量 通过

声明 NONE

→

推断 NONE

No code files present

技能调用 通过

声明 NONE

→

推断 NONE

No code files present

剪贴板 通过

声明 NONE

→

推断 NONE

No code files present

浏览器 通过

声明 NONE

→

推断 NONE

No code files present

数据库 通过

声明 NONE

→

推断 NONE

No code files present

可疑产物与外联

提示邮箱

[email protected]

SKILL.md:88

依赖与供应链

没有结构化依赖告警。

文件构成

2 个文件 · 107 行

Markdown 1 个文件 · 93 行JSON 1 个文件 · 14 行

需关注文件 · 1

SKILL.md Markdown · 93 行

Declared functionality has no implementation · Marketing content masquerading as technical documentation · [email protected]

其他文件 · package.json

安全亮点

No malicious code present (no scripts, no executables)

No credential harvesting or exfiltration behavior

No obfuscation techniques detected

No sensitive file access attempts

No network requests to external IPs

No supply chain risks (no dependencies)