wip-repo-permissions-hook Security Report — Trusted | ClawSafe

0 /100

wip-repo-permissions-hook

Repo visibility guard. Blocks repos from going public without a -private counterpart.

Repo visibility guard that safely uses gh CLI to check GitHub repo visibility. All capabilities are declared, no sensitive access, no credential harvesting, no obfuscation.

Skill Namewip-repo-permissions-hook

Duration29.1s

Enginepi

✓

Safe to install

No action needed. This skill is safe to use as documented.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	cli.js:7 reads own package.json for version flag
Shell	`WRITE`	`WRITE`	✓ Aligned	core.mjs:49-53 uses execFileSync('gh', ...) for GitHub API calls. Declared and n…
Network	`READ`	`READ`	✓ Aligned	gh CLI proxies all GitHub API requests. No direct IP/network access.
Environment	`NONE`	`NONE`	—	No env var access. gh handles its own auth.
Skill Invoke	`NONE`	`NONE`	—	Standard tool invocation through MCP
Clipboard	`NONE`	`NONE`	—	Not used
Browser	`NONE`	`NONE`	—	Not used
Database	`NONE`	`NONE`	—	Not used

8 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/npm/v/@wipcomputer/wip-repo-permissions-hook

README.md:3

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/@wipcomputer/wip-repo-permissions-hook

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/interface-CLI_/_TUI-black

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/interface-MCP_Server-black

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/interface-OpenClaw_Plugin-black

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/interface-Claude_Code_Hook-black

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/interface-Claude_Code_Skill-black

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black

README.md:3

File Tree

8 files · 17.2 KB · 569 lines

JavaScript 4f · 371L Markdown 2f · 159L JSON 2f · 39L

├─ 📜 cli.js JavaScript 93L · 2.8 KB

├─ 📜 core.mjs JavaScript 122L · 4.0 KB

├─ 📜 guard.mjs JavaScript 64L · 1.4 KB

├─ 📜 mcp-server.mjs JavaScript 92L · 2.7 KB

├─ 📋 openclaw.plugin.json JSON 8L · 269 B

├─ 📋 package.json JSON 31L · 703 B

├─ 📝 README.md Markdown 86L · 3.5 KB

└─ 📝 SKILL.md Markdown 73L · 1.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@modelcontextprotocol/sdk`	`^1.0.0`	npm	No	Version pinned with caret range. Standard MCP library.

Security Positives

✓ Only uses gh CLI - a standard, well-audited GitHub tool

✓ Delegates authentication to gh (no direct credential access)

✓ No sensitive file or path access

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ No external URLs accessed (shield.io badges are static assets)

✓ No supply chain risks - MCP SDK is well-known and version-pinned

✓ Open source with clear MIT license

✓ Clean, readable code with no hidden functionality

✓ All declared capabilities match actual implementation

Scan Report

File Tree

Dependencies 1 items

Security Positives