中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:1 天前 重新扫描
25 /100
opus-certification
Opus 4.6 Quality Certification program for ClawHub skills
A certification info tool with a suspicious but unused execSync import; no actual malicious behavior detected.
技能名称opus-certification
分析耗时26.6s
引擎pi
可以安装
Remove the unused execSync import from index.js to eliminate the suspicious dead code. Otherwise safe to use.

安全发现 2 项

严重性 安全发现 位置
低危
Unused execSync import 文档欺骗
The child_process.execSync function is imported at line 10 of index.js but never called anywhere in the code. This could be dead code, or it could be a placeholder for malicious functionality that was removed or will be added later.
const { execSync } = require('child_process');
→ Remove the unused execSync import if it's not needed. If shell execution is genuinely required, implement it with proper input validation and declare it in SKILL.md.
 index.js:10
低危
Unused fs module import 文档欺骗
The fs module is imported at line 9 of index.js but never used in any function. The code performs no actual filesystem operations.
const fs = require('fs');
→ Remove the unused fs import if filesystem operations are not needed.
 index.js:9
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 index.js:9 'const fs = require('fs')' imported but not used
网络访问 NONE NONE No network operations found
命令执行 NONE NONE index.js:10 'const { execSync } = require('child_process')' imported but never e…
环境变量 NONE NONE No os.environ access
技能调用 NONE NONE No skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database operations
2 项发现
🔗
中危 外部 URL 外部 URL
https://clawhub.com/certification
SKILL.md:168
📧
提示 邮箱 邮箱地址
[email protected]
README.md:73

目录结构

4 文件 · 18.8 KB · 625 行
JavaScript 1f · 323L Markdown 2f · 259L JSON 1f · 43L
├─ 📜 index.js JavaScript 323L · 9.8 KB
├─ 📋 package.json JSON 43L · 1.1 KB
├─ 📝 README.md Markdown 88L · 3.1 KB
└─ 📝 SKILL.md Markdown 171L · 4.7 KB

依赖分析 3 项

包名版本来源已知漏洞备注
fs builtin Node.js core Imported but unused
path builtin Node.js core Imported but unused
child_process builtin Node.js core Imported but unused

安全亮点

✓ No external dependencies - package.json has no runtime dependencies
✓ SKILL.md accurately documents the skill's functionality
✓ No network requests or data exfiltration attempts
✓ No credential harvesting or sensitive file access
✓ No obfuscated code or suspicious patterns
✓ No hardcoded secrets or API keys
✓ Clean, straightforward CLI implementation