Scan Report
5 /100
vscode-copilot
Bridge between OpenClaw and VS Code Copilot — dispatch coding tasks from any OpenClaw channel to VS Code for execution.
A minimal single-file SKILL.md bridge that uses curl to dispatch coding tasks to a local VS Code Copilot extension via localhost HTTP. No scripts, no dependencies, no external traffic, and no sensitive access — behavior is fully declared and transparent.
Safe to install
No action required. The skill is safe to use as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file read/write operations in SKILL.md |
| Network | READ | READ | ✓ Aligned | curl POSTs JSON to localhost:19836 — line 28-31 SKILL.md |
| Shell | WRITE | WRITE | ✓ Aligned | Uses curl commands to send HTTP requests — lines 24-34 SKILL.md |
| Environment | NONE | NONE | — | No environment variable access declared or observed |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
1 findings
Medium External URL 外部 URL
https://marketplace.visualstudio.com/items?itemName=wodeapp.openclaw-chat SKILL.md:5 File Tree
1 files · 3.3 KB · 92 lines Markdown 1f · 92L
└─
SKILL.md
Markdown
Security Positives
✓ Single-file skill with no executable scripts or binaries — zero supply-chain risk
✓ All network traffic is strictly localhost (127.0.0.1:19836), no external data exfiltration
✓ SKILL.md fully documents all behavior including endpoints, data sent, and security model
✓ No credential harvesting, no environment variable access, no sensitive file paths touched
✓ No obfuscation, no base64, no eval — pure curl/HTTP documented behavior
✓ No dependencies (no package.json, requirements.txt, etc.)
✓ No data leaves the machine — Copilot processes requests through GitHub's standard API
✓ Verified marketplace extension (wodeapp.openclaw-chat) — no typosquatting or spoofing signals