factory-floor Security Report — Low Risk | ClawSafe

12 /100

factory-floor

Startup coach skill for founders — constraint diagnosis, marketing strategy, and prioritization using Goldratt, Maurya, Sharp, Ritson, Rumelt, Clausewitz, and JTBD frameworks

A legitimate startup coaching skill with no malicious behavior. Two minor technical concerns: unpinned npm dependency and execSync usage, both documented and scoped to legitimate package installation.

Skill Namefactory-floor

Duration60.4s

Enginepi

✓

Safe to install

No blocking action needed. Consider pinning beautiful-mermaid to a specific version in scripts/package.json to strengthen the supply chain posture.

Findings 2 items

Severity	Finding	Location
Low	Unpinned npm dependency allows version drift Supply Chain scripts/package.json declares beautiful-mermaid as ^1.1.3 with a caret range, permitting updates to any 1.x.x version. This creates a theoretical supply chain risk where a compromised future release could be auto-installed. `"beautiful-mermaid": "^1.1.3"` → Pin to exact version: "beautiful-mermaid": "1.1.3" or use a hash-based integrity check.	`scripts/package.json:5`
Low	execSync runs shell command during install Priv Escalation bin/install.mjs executes 'npm install --silent' via execSync. This is scoped to a local directory and documented as part of the install process, but shell execution is worth tracking for audit purposes. `execSync('npm install --silent', { cwd: join(target, 'scripts'), stdio: 'inherit' })` → This is expected behavior for a skill with an executable dependency. No action needed for security; just acknowledge it in capability declarations if tracking shell:WRITE.	`bin/install.mjs:53`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access declared in SKILL.md. bin/install.mjs writes only to ~/.cla…
Network	`NONE`	`NONE`	—	No network calls in any code. External URLs in README.md are static references t…
Shell	`NONE`	`NONE`	—	bin/install.mjs:53 uses execSync but this is the installer's own deployment logi…
Environment	`NONE`	`NONE`	—	No environment variable access. grep found zero matches for os.environ, process.…
Skill Invoke	`READ`	`READ`	✓ Aligned	SKILL.md declares skill_invoke routing logic. Reads stage and reference .md file…
Clipboard	`NONE`	`NONE`	—	No clipboard access in any file.
Browser	`NONE`	`NONE`	—	No browser or WebFetch usage.
Database	`NONE`	`NONE`	—	No database access.

4 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/npm/v/@swiftner/factory-floor

README.md:3

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/@swiftner/factory-floor

README.md:3

🔗

Medium External URL 外部 URL

https://agentskills.io

README.md:7

🔗

Medium External URL 外部 URL

https://swiftner.com

README.md:141

File Tree

28 files · 230.3 KB · 5339 lines

Markdown 21f · 5144L JavaScript 2f · 137L JSON 3f · 47L YAML 1f · 11L

├─ ▾ 📁 agents

│ ├─ 📝 analyzer.md Markdown 52L · 1.6 KB

│ ├─ 📝 grader.md Markdown 65L · 2.4 KB

│ └─ 📋 openai.yaml YAML 11L · 321 B

├─ ▾ 📁 assets

│ └─ 📦 icon.svg 460 B

├─ ▾ 📁 bin

│ └─ 📜 install.mjs JavaScript 61L · 1.8 KB

├─ ▾ 📁 references

│ ├─ 📝 coaching-patterns.md Markdown 118L · 5.1 KB

│ ├─ 📝 estimation.md Markdown 485L · 20.5 KB

│ ├─ 📝 intake.md Markdown 87L · 4.1 KB

│ ├─ 📝 jtbd.md Markdown 494L · 21.7 KB

│ ├─ 📝 misdiagnoses.md Markdown 35L · 2.4 KB

│ ├─ 📝 pillar-goldratt.md Markdown 177L · 8.0 KB

│ ├─ 📝 pillar-maurya.md Markdown 299L · 13.1 KB

│ ├─ 📝 pillar-ritson.md Markdown 505L · 18.9 KB

│ ├─ 📝 pillar-sharp.md Markdown 376L · 17.5 KB

│ ├─ 📝 pillar-strategy.md Markdown 531L · 23.4 KB

│ ├─ 📝 weekly-diagrams.md Markdown 47L · 1.6 KB

│ └─ 📝 weekly-review.md Markdown 81L · 2.7 KB

├─ ▾ 📁 scripts

│ ├─ 📋 package.json JSON 8L · 136 B

│ └─ 📜 render-diagram.mjs JavaScript 76L · 2.1 KB

├─ ▾ 📁 stages

│ ├─ 📝 growth.md Markdown 580L · 23.8 KB

│ ├─ 📝 pre-revenue.md Markdown 301L · 12.5 KB

│ ├─ 📝 restart.md Markdown 181L · 7.3 KB

│ └─ 📝 scaling.md Markdown 402L · 16.6 KB

├─ 📋 _meta.json JSON 5L · 132 B

├─ 📝 CLAUDE.md Markdown 58L · 6.1 KB

├─ 📋 package.json JSON 34L · 815 B

├─ 📝 README.md Markdown 141L · 7.9 KB

└─ 📝 SKILL.md Markdown 129L · 7.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`beautiful-mermaid`	`^1.1.3`	npm	No	Version range allows minor/patch updates. No known vulnerabilities at time of analysis.

Security Positives

✓ No credential theft: no access to ~/.ssh, ~/.aws, .env, or environment variables for sensitive keys

✓ No data exfiltration: no network calls, no external IP communication, no POST requests

✓ No obfuscation: all code is readable plain text, no base64, eval, or atob patterns

✓ No prompt injection: no hidden instructions in HTML comments or anywhere else

✓ No persistence mechanisms: no cron jobs, startup hooks, or backdoor installation

✓ No sensitive file access: filesystem operations are scoped to the skill's own install directory

✓ No arbitrary command execution: execSync is limited to a fixed npm install command in a known directory

✓ MIT license with clear authorship and public GitHub repository

✓ Skill behavior fully matches documentation — no doc-to-code mismatch

✓ File tree is transparent: 21 markdown files (business logic/documentation), 2 JS scripts (diagram rendering + install)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives