opus-certification Security Report — Low Risk | ClawSafe

25 /100

opus-certification

Opus 4.6 Quality Certification program for ClawHub skills

A certification info tool with a suspicious but unused execSync import; no actual malicious behavior detected.

Skill Nameopus-certification

Duration26.6s

Enginepi

✓

Safe to install

Remove the unused execSync import from index.js to eliminate the suspicious dead code. Otherwise safe to use.

Findings 2 items

Severity	Finding	Location
Low	Unused execSync import Doc Mismatch The child_process.execSync function is imported at line 10 of index.js but never called anywhere in the code. This could be dead code, or it could be a placeholder for malicious functionality that was removed or will be added later. `const { execSync } = require('child_process');` → Remove the unused execSync import if it's not needed. If shell execution is genuinely required, implement it with proper input validation and declare it in SKILL.md.	`index.js:10`
Low	Unused fs module import Doc Mismatch The fs module is imported at line 9 of index.js but never used in any function. The code performs no actual filesystem operations. `const fs = require('fs');` → Remove the unused fs import if filesystem operations are not needed.	`index.js:9`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	index.js:9 'const fs = require('fs')' imported but not used
Network	`NONE`	`NONE`	—	No network operations found
Shell	`NONE`	`NONE`	—	index.js:10 'const { execSync } = require('child_process')' imported but never e…
Environment	`NONE`	`NONE`	—	No os.environ access
Skill Invoke	`NONE`	`NONE`	—	No skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database operations

2 findings

🔗

Medium External URL 外部 URL

https://clawhub.com/certification

SKILL.md:168

📧

Info Email 邮箱地址

[email protected]

README.md:73

4 files · 18.8 KB · 625 lines

JavaScript 1f · 323L Markdown 2f · 259L JSON 1f · 43L

├─ 📜 index.js JavaScript 323L · 9.8 KB

├─ 📋 package.json JSON 43L · 1.1 KB

├─ 📝 README.md Markdown 88L · 3.1 KB

└─ 📝 SKILL.md Markdown 171L · 4.7 KB

Package	Version	Source	Known Vulns	Notes
`fs`	`builtin`	Node.js core	No	Imported but unused
`path`	`builtin`	Node.js core	No	Imported but unused
`child_process`	`builtin`	Node.js core	No	Imported but unused

✓ No external dependencies - package.json has no runtime dependencies

✓ SKILL.md accurately documents the skill's functionality

✓ No network requests or data exfiltration attempts

✓ No credential harvesting or sensitive file access

✓ No obfuscated code or suspicious patterns

✓ No hardcoded secrets or API keys

✓ Clean, straightforward CLI implementation