中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
skill-drift-guard
Trust-then-verify integrity scanner for local repos and OpenClaw skills
This is a legitimate integrity scanner that detects risky patterns in AI skills. The documented 'curl | bash' is a threat pattern being detected, not executed code. The tool performs only local file analysis with no exfiltration capabilities.
技能名称skill-drift-guard
分析耗时41.1s
引擎pi
可以安装
This skill is safe to use. No security concerns identified.
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md declares scan/trust/compare workflows; scanner.js reads files only for …
命令执行 WRITE WRITE ✓ 一致 Uses 'node' CLI to run scanner; child_process detection is for scanning targets,…
网络访问 NONE NONE No network imports or external requests found in code
环境变量 NONE NONE No os.environ access or credential harvesting
技能调用 NONE NONE No inter-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
1 严重 1 项发现
💀
严重 危险命令 危险 Shell 命令
curl | bash
SKILL.md:77

目录结构

6 文件 · 83.4 KB · 2868 行
JavaScript 5f · 2751L Markdown 1f · 117L
├─ 📁 scripts
│ ├─ 📜 cli.js JavaScript 756L · 23.1 KB
│ ├─ 📜 reporters.js JavaScript 588L · 19.7 KB
│ ├─ 📜 rules.js JavaScript 210L · 4.8 KB
│ ├─ 📜 scanner.js JavaScript 1194L · 32.2 KB
│ └─ 📜 version.js JavaScript 3L · 41 B
└─ 📝 SKILL.md Markdown 117L · 3.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
none N/A none Uses only Node.js built-in modules (fs, path, crypto)

安全亮点

✓ No external network requests or data exfiltration
✓ No credential harvesting or environment variable access
✓ No arbitrary code execution (scanner only reads/analyzes, doesn't execute scanned code)
✓ No base64 obfuscation or eval() usage in self
✓ Uses only Node.js standard library (fs, path, crypto) - no external dependencies
✓ Well-documented threat detection patterns
✓ Includes trust-then-verify workflow for safe baseline management
✓ Supports suppression config to reduce false positives
✓ Pattern detection is for defensive scanning, not offensive execution