cligen Security Report — Trusted | ClawSafe

5 /100

cligen

CLI tool scaffolding generator for Bash/Python

Legitimate CLI tool scaffolding generator with no malicious indicators. Code generation is correctly scoped and documented.

Skill Namecligen

Duration40.9s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 2 items

Severity	Finding	Location
Low	No dependency version pinning Supply Chain package.json has no runtime dependencies but lacks a scripts section for the cligen CLI entry point. `"name": "cli-tool-generator"` → Add scripts section if cligen is meant to be installed via npm, or document the bash entry point.	`package.json:1`
Info	File structure mismatch Doc Mismatch SKILL.md lists 'cligen' as CLI entry point and src/bash_template/ and src/python_template/ directories that don't exist in the actual distribution. `├── cligen\n│ ├── src/\n│ │ ├── bash_template/\n│ │ └── python_template/` → Update SKILL.md file structure to match actual layout (src/generator.sh, src/validator.sh, src/preflight.sh).	`SKILL.md:46`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares file generation; code creates tool skeletons in specified outp…
Shell	`READ`	`READ`	✓ Aligned	Uses command -v for dependency checks, mkdir/cp/chmod for file operations
Network	`NONE`	`NONE`	—	No network requests observed
Environment	`NONE`	`NONE`	—	No environment variable access beyond CONFIG_FILE
Skill Invoke	`NONE`	`NONE`	—	No skill invocation patterns found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

1 findings

🔗

Medium External URL 外部 URL

https://clawhub.com

README.md:135

7 files · 36.8 KB · 1345 lines

Shell 4f · 1083L Markdown 2f · 250L JSON 1f · 12L

├─ ▾ 📁 src

│ ├─ 🔧 generator.sh Shell 828L · 21.2 KB

│ ├─ 🔧 preflight.sh Shell 27L · 818 B

│ └─ 🔧 validator.sh Shell 129L · 4.2 KB

├─ ▾ 📁 tests

│ └─ 🔧 test_all.sh Shell 99L · 3.6 KB

├─ 📋 package.json JSON 12L · 410 B

├─ 📝 README.md Markdown 148L · 3.6 KB

└─ 📝 SKILL.md Markdown 102L · 3.0 KB

Package	Version	Source	Known Vulns	Notes
`bash`	`>=4.0`	system	No	Declared in preflight.sh checks
`git`	`any`	system	No	Optional, used for doctor command
`sed`	`any`	system	No	Used for template variable substitution
`awk`	`any`	system	No	Optional utility

✓ Uses set -euo pipefail for bash safety in all scripts

✓ All functionality is documented in SKILL.md

✓ No credential harvesting or environment variable enumeration

✓ No network requests or data exfiltration

✓ No obfuscation (base64, eval) or suspicious encoding

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Generated tools use proper error handling and argument parsing

✓ MIT License with clear copyright attribution

✓ Test suite covers core functionality