wip-readme-format 安全扫描报告 — 可信 | ClawSafe

5 /100

wip-readme-format

Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.

The wip-readme-format skill is a straightforward README reformatting tool with no security issues. All behavior is declared, file operations are limited to the target repo, and there is no network access, credential harvesting, or obfuscation.

技能名称wip-readme-format

分析耗时23.4s

引擎pi

✓

可以安装

This skill is safe to use. No action required.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ+WRITE`	`READ+WRITE`	✓ 一致	SKILL.md: reads package.json, SKILL.md, README.md, LICENSE; writes README-init-*…
网络访问	`NONE`	`NONE`	—	No network calls in format.mjs
命令执行	`NONE`	`READ`	✓ 一致	format.mjs:294 - execSync('git status --porcelain') is not declared in SKILL.md;…
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`NONE`	—	No skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/interface-$

format.mjs:82

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black

format.mjs:506

目录结构

4 文件 · 24.4 KB · 745 行

JavaScript 1f · 597L Markdown 2f · 133L JSON 1f · 15L

├─ 📜 format.mjs JavaScript 597L · 20.6 KB

├─ 📋 package.json JSON 15L · 461 B

├─ 📝 README.md Markdown 49L · 1.5 KB

└─ 📝 SKILL.md Markdown 84L · 1.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`node built-ins only`	`N/A`	node:fs, node:path, node:url, node:child_process	否	No external npm dependencies in package.json; all imports are Node.js built-in modules

安全亮点

✓ All file operations are scoped to the target repo path provided as an argument

✓ No network requests or external IP communication

✓ No credential, key, or token harvesting of any kind

✓ No obfuscation (base64, eval, atob) or anti-analysis techniques

✓ Backup of original README.md and TECHNICAL.md to ai/_trash/ before overwriting provides a safety net

✓ DEPLOY mode gates on git status check (untracked files must be reviewed before deploy)

✓ All operations are read-focused (parse existing README, extract features, reassemble) — minimal blast radius

✓ Imported dependency detect.mjs is not actually invoked in this file (dynamic import but never awaited/called)

✓ No supply chain risk: only node built-in modules used (fs, path, url, child_process for safety check)