tvs-analyze 安全扫描报告 — 低风险 | ClawSafe

20 /100

tvs-analyze

代码与项目分析专家，生成 madge 依赖图，帮助开发者了解项目结构、依赖关系和业务逻辑

A straightforward code analysis skill that generates madge dependency graphs; uses execSync for CLI tooling which is expected and documented, with no credential access or data exfiltration.

技能名称tvs-analyze

分析耗时42.1s

引擎pi

✓

可以安装

Approve for use. The skill is a legitimate development tool with no malicious behavior. Consider documenting the execSync usage in SKILL.md for transparency.

安全发现 3 项

严重性	安全发现	位置
低危	SKILL.md embeds script code but does not explicitly declare shell execution 文档欺骗 The SKILL.md references 'node .claude/skills/analyze/scripts/generate-madge.mjs' and includes a script block, but does not explicitly state that the skill invokes shell commands via child_process.execSync. This is a minor doc-to-code mismatch that could confuse users about the skill's actual behavior. `node .claude/skills/analyze/scripts/generate-madge.mjs` → Add a brief 'Permissions required' section to SKILL.md listing shell and filesystem write access.	`SKILL.md:44`
低危	npx madge executed without pinned version 供应链 The script runs 'npx madge' without specifying a version (e.g., 'npx madge@6'), meaning it always fetches the latest version from npm at execution time. execSync(`npx madge --image ${OUTPUT_PATH} --extensions ${EXTENSIONS} ${DIR}`, { stdio: 'inherit' }) → Pin the madge version, e.g., 'npx [email protected]' to prevent unexpected behavior from breaking changes.	`scripts/generate-madge.mjs:55`
提示	execSync used for CLI tooling 代码执行 child_process.execSync is used to run 'command -v' and 'npx madge'. execSync carries risk (arbitrary command injection if inputs were unsanitized), but in this case all inputs (DIR, EXTENSIONS) are derived from process.argv and are directory/file-path scoped. The risk is contained. execSync(`command -v ${cmd}`, { stdio: 'ignore' }) → No action needed; this is standard for CLI tool wrappers. The inputs are user-supplied directory paths which are inherently scoped.	`scripts/generate-madge.mjs:27`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/generate-madge.mjs:27-32 execSync with command -v and npx madge
文件系统	`NONE`	`WRITE`	✓ 一致	scripts/generate-madge.mjs:47 mkdirSync(OUTPUT_DIR) and SVG output
网络访问	`NONE`	`READ`	✓ 一致	scripts/generate-madge.mjs:33 npx madge downloads from npm at runtime

目录结构

2 文件 · 5.5 KB · 140 行

JavaScript 1f · 86L Markdown 1f · 54L

├─ ▾ 📁 scripts

│ └─ 📜 generate-madge.mjs JavaScript 86L · 2.5 KB

└─ 📝 SKILL.md Markdown 54L · 2.9 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`madge`	`*`	npx (npm)	否	Version not pinned; fetched at runtime via npx
`graphviz`	`*`	system package	否	Required system dependency; version unknown

安全亮点

✓ No credential harvesting or sensitive data access

✓ No data exfiltration or C2 communication

✓ No obfuscation or base64-encoded payloads

✓ No reverse shell or remote code execution beyond standard CLI tooling

✓ Script logic is simple, readable, and does exactly what it claims

✓ Output directory is scoped to .claude/analyze/ — contained within the project