cligen 安全扫描报告 — 可信 | ClawSafe

5 /100

cligen

CLI tool scaffolding generator for Bash/Python

Legitimate CLI tool scaffolding generator with no malicious indicators. Code generation is correctly scoped and documented.

技能名称cligen

分析耗时40.9s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 2 项

严重性	安全发现	位置
低危	No dependency version pinning 供应链 package.json has no runtime dependencies but lacks a scripts section for the cligen CLI entry point. `"name": "cli-tool-generator"` → Add scripts section if cligen is meant to be installed via npm, or document the bash entry point.	`package.json:1`
提示	File structure mismatch 文档欺骗 SKILL.md lists 'cligen' as CLI entry point and src/bash_template/ and src/python_template/ directories that don't exist in the actual distribution. `├── cligen\n│ ├── src/\n│ │ ├── bash_template/\n│ │ └── python_template/` → Update SKILL.md file structure to match actual layout (src/generator.sh, src/validator.sh, src/preflight.sh).	`SKILL.md:46`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares file generation; code creates tool skeletons in specified outp…
命令执行	`READ`	`READ`	✓ 一致	Uses command -v for dependency checks, mkdir/cp/chmod for file operations
网络访问	`NONE`	`NONE`	—	No network requests observed
环境变量	`NONE`	`NONE`	—	No environment variable access beyond CONFIG_FILE
技能调用	`NONE`	`NONE`	—	No skill invocation patterns found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

1 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.com

README.md:135

7 文件 · 36.8 KB · 1345 行

Shell 4f · 1083L Markdown 2f · 250L JSON 1f · 12L

├─ ▾ 📁 src

│ ├─ 🔧 generator.sh Shell 828L · 21.2 KB

│ ├─ 🔧 preflight.sh Shell 27L · 818 B

│ └─ 🔧 validator.sh Shell 129L · 4.2 KB

├─ ▾ 📁 tests

│ └─ 🔧 test_all.sh Shell 99L · 3.6 KB

├─ 📋 package.json JSON 12L · 410 B

├─ 📝 README.md Markdown 148L · 3.6 KB

└─ 📝 SKILL.md Markdown 102L · 3.0 KB

包名	版本	来源	已知漏洞	备注
`bash`	`>=4.0`	system	否	Declared in preflight.sh checks
`git`	`any`	system	否	Optional, used for doctor command
`sed`	`any`	system	否	Used for template variable substitution
`awk`	`any`	system	否	Optional utility

✓ Uses set -euo pipefail for bash safety in all scripts

✓ All functionality is documented in SKILL.md

✓ No credential harvesting or environment variable enumeration

✓ No network requests or data exfiltration

✓ No obfuscation (base64, eval) or suspicious encoding

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Generated tools use proper error handling and argument parsing

✓ MIT License with clear copyright attribution

✓ Test suite covers core functionality