skill-dep-fixer 安全扫描报告 — 低风险 | ClawSafe

20 /100

skill-dep-fixer

Scan installed OpenClaw skills, detect missing dependencies (npm, pip, brew, system binaries), and auto-fix what's fixable.

A legitimate dependency management tool for OpenClaw skills, but with significant doc-to-code mismatch: the --fix shell execution and --init/--manifest hidden flags are entirely undeclared in SKILL.md.

技能名称skill-dep-fixer

分析耗时52.7s

引擎pi

✓

可以安装

Declare all CLI flags (--fix, --init, --name, --description, --manifest) and the shell:WRITE capability in SKILL.md. Version-pin npm dependencies (chalk, js-yaml). Audit the --manifest path for supply-chain risks before merging.

安全发现 5 项

严重性	安全发现	位置
中危	Undeclared --fix flag triggers shell:WRITE execution 文档欺骗 SKILL.md describes the tool as a dependency checker with 'auto-fix' capability but never documents the --fix CLI flag. When --fix is provided, the tool executes 'brew install', 'npm install -g', and 'pip install' commands via exec() — a direct shell:WRITE capability that should be declared. Users have no documentation to understand the destructive nature of this flag. function installCommand(entry) { if (entry.kind === 'brew' && entry.formula) return `brew install ${entry.formula}`; if (entry.kind === 'npm' && entry.id) return `npm install -g ${entry.id}`; if (entry.kind === 'pip' && entry.id) return `pip3 install ${entry.id}`; } → Document --fix under a distinct 'Installation mode' section in SKILL.md with explicit warnings about system-wide package installations.	`skill-dep-fixer.js:144`
中危	Undeclared --init flag performs filesystem:WRITE to ~/.openclaw 文档欺骗 The --init flag creates new SKILL.md files at ~/.openclaw/workspace/skills/<name>/SKILL.md using fs.mkdir and fs.writeFile. This is a filesystem:WRITE operation that enables skill creation/persistence. It is entirely absent from SKILL.md documentation. `async function initSkill(skillName, values) { const skillDir = path.join(os.homedir(), '.openclaw', 'workspace', 'skills'); await fs.mkdir(skillDir, { recursive: true }); await fs.writeFile(skillFile, buildSkillTemplate(...), 'utf8'); }` → Document --init and its --name/--description sub-flags in SKILL.md, or remove the functionality if not intended for end users.	`skill-dep-fixer.js:119`
中危	Undeclared --manifest flag introduces alternative code path 文档欺骗 src/skill-dep-fixer.js exposes a --manifest flag that calls parsers.parseManifest() when present. This alternative entry point is not documented anywhere and allows bypassing the normal skill directory scanning with an arbitrary manifest input. The purpose and safety of this path is unclear. `manifest: (() => { const i = argv.findIndex((a) => a === '--manifest'); return i >= 0 ? argv[i + 1] : undefined; })(),` → Document --manifest or remove it from the public entry point. If intended for automation, document the expected manifest schema.	`src/skill-dep-fixer.js:25`
低危	npm dependencies not version-pinned 供应链 package.json specifies chalk ^4.1.2 and js-yaml ^4.1.1 using caret ranges, allowing potentially broad updates. This could allow a compromised upstream package to be silently installed. `"chalk": "^4.1.2", "js-yaml": "^4.1.1"` → Pin exact versions: [email protected] and [email protected] to prevent supply-chain drift.	`package.json:19`
低危	Reads environment variables via os.homedir() for npm prefix resolution 敏感访问 src/installer.js calls os.homedir() to determine whether npm's global prefix is in the user's home directory, to decide whether to fall back to --location=user. This accesses user environment information but only uses it for a legitimate installation path decision. `const home = os.homedir(); let prefix = run('npm config get prefix').trim();` → No action needed; behavior is benign and standard for npm installation handling.	`src/installer.js:46`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	skill-dep-fixer.js:119 - initSkill writes to ~/.openclaw/workspace/skills/
命令执行	`NONE`	`WRITE`	✗ 越权	skill-dep-fixer.js:144 - installCommand() returns brew/npm/pip install commands …
环境变量	`NONE`	`READ`	✗ 越权	src/installer.js:6 - os.homedir() used for npm prefix resolution
网络访问	`NONE`	`READ`	✓ 一致	src/installer.js - npm install -g / brew install / pip install trigger outbound …

目录结构

8 文件 · 27.4 KB · 977 行

JavaScript 6f · 857L Markdown 1f · 96L JSON 1f · 24L

├─ ▾ 📁 src

│ ├─ 📜 checkers.js JavaScript 75L · 2.2 KB

│ ├─ 📜 installer.js JavaScript 126L · 3.6 KB

│ ├─ 📜 parsers.js JavaScript 86L · 2.2 KB

│ ├─ 📜 reporter.js JavaScript 110L · 3.6 KB

│ └─ 📜 skill-dep-fixer.js JavaScript 146L · 3.9 KB

├─ 📋 package.json JSON 24L · 511 B

├─ 📜 skill-dep-fixer.js JavaScript 314L · 8.8 KB

└─ 📝 SKILL.md Markdown 96L · 2.6 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`chalk`	`^4.1.2`	npm	否	Caret range — not pinned to exact version
`js-yaml`	`^4.1.1`	npm	否	Caret range — not pinned to exact version

安全亮点

✓ Uses shellQuote() with proper single-quote escaping in installer.js, mitigating command injection

✓ No base64-encoded strings, eval(), or dynamic code generation found

✓ No credential harvesting, environment variable enumeration, or sensitive path access (no ~/.ssh, ~/.aws, .env reads)

✓ No curl|bash or wget|sh remote script execution patterns

✓ No network exfiltration or C2 communication

✓ Dependencies (chalk, js-yaml) are well-known, reputable npm packages

✓ The core functionality (checking and fixing skill dependencies) is accurately described, even if --fix is undocumented

✓ src/installer.js has proper error handling for network failures and EACCES permission errors with graceful fallbacks