tvs-analyze Security Report — Low Risk | ClawSafe

20 /100

tvs-analyze

代码与项目分析专家，生成 madge 依赖图，帮助开发者了解项目结构、依赖关系和业务逻辑

A straightforward code analysis skill that generates madge dependency graphs; uses execSync for CLI tooling which is expected and documented, with no credential access or data exfiltration.

Skill Nametvs-analyze

Duration42.1s

Enginepi

✓

Safe to install

Approve for use. The skill is a legitimate development tool with no malicious behavior. Consider documenting the execSync usage in SKILL.md for transparency.

Findings 3 items

Severity	Finding	Location
Low	SKILL.md embeds script code but does not explicitly declare shell execution Doc Mismatch The SKILL.md references 'node .claude/skills/analyze/scripts/generate-madge.mjs' and includes a script block, but does not explicitly state that the skill invokes shell commands via child_process.execSync. This is a minor doc-to-code mismatch that could confuse users about the skill's actual behavior. `node .claude/skills/analyze/scripts/generate-madge.mjs` → Add a brief 'Permissions required' section to SKILL.md listing shell and filesystem write access.	`SKILL.md:44`
Low	npx madge executed without pinned version Supply Chain The script runs 'npx madge' without specifying a version (e.g., 'npx madge@6'), meaning it always fetches the latest version from npm at execution time. execSync(`npx madge --image ${OUTPUT_PATH} --extensions ${EXTENSIONS} ${DIR}`, { stdio: 'inherit' }) → Pin the madge version, e.g., 'npx [email protected]' to prevent unexpected behavior from breaking changes.	`scripts/generate-madge.mjs:55`
Info	execSync used for CLI tooling RCE child_process.execSync is used to run 'command -v' and 'npx madge'. execSync carries risk (arbitrary command injection if inputs were unsanitized), but in this case all inputs (DIR, EXTENSIONS) are derived from process.argv and are directory/file-path scoped. The risk is contained. execSync(`command -v ${cmd}`, { stdio: 'ignore' }) → No action needed; this is standard for CLI tool wrappers. The inputs are user-supplied directory paths which are inherently scoped.	`scripts/generate-madge.mjs:27`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/generate-madge.mjs:27-32 execSync with command -v and npx madge
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/generate-madge.mjs:47 mkdirSync(OUTPUT_DIR) and SVG output
Network	`NONE`	`READ`	✓ Aligned	scripts/generate-madge.mjs:33 npx madge downloads from npm at runtime

File Tree

2 files · 5.5 KB · 140 lines

JavaScript 1f · 86L Markdown 1f · 54L

├─ ▾ 📁 scripts

│ └─ 📜 generate-madge.mjs JavaScript 86L · 2.5 KB

└─ 📝 SKILL.md Markdown 54L · 2.9 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`madge`	`*`	npx (npm)	No	Version not pinned; fetched at runtime via npx
`graphviz`	`*`	system package	No	Required system dependency; version unknown

Security Positives

✓ No credential harvesting or sensitive data access

✓ No data exfiltration or C2 communication

✓ No obfuscation or base64-encoded payloads

✓ No reverse shell or remote code execution beyond standard CLI tooling

✓ Script logic is simple, readable, and does exactly what it claims

✓ Output directory is scoped to .claude/analyze/ — contained within the project

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives