中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 22/100
上次扫描:19 小时前 重新扫描
22 /100
zhua-contributor
爪爪社区贡献系统 - 发布技能到skillhub、撰写文档、分享经验
This is a placeholder/template skill with benign shell scripts that list files and display information, but contains documentation mismatch (SKILL.md references non-existent scripts) and accesses a sensitive workspace path.
技能名称zhua-contributor
分析耗时40.4s
引擎pi
可以安装
Review the SKILL.md documentation accuracy. The referenced scripts (prep_skill.py, validate_skill.py, gen_docs.py, publish_skill.py) do not exist - only example.py and publish_all.sh are present. Verify this is intentional template content.

安全发现 2 项

严重性 安全发现 位置
中危
SKILL.md references non-existent scripts 文档欺骗
The documentation lists 4 scripts (prep_skill.py, validate_skill.py, gen_docs.py, publish_skill.py) with command-line usage examples, but only example.py and publish_all.sh exist in the scripts/ directory. This is a documentation mismatch that could mislead users about the skill's actual functionality.
python3 scripts/prep_skill.py --skill <技能路径>
→ Either implement the referenced scripts or remove them from SKILL.md documentation to avoid doc-to-code mismatch.
 SKILL.md:47
低危
Access to OpenClaw workspace path 敏感访问
The publish_all.sh script accesses /root/.openclaw/workspace/ to check for skill packages. While this is related to the skill's purpose (publishing to skillhub), it accesses a sensitive system path.
skill_file="/root/.openclaw/workspace/${skill}.skill"
→ This access is legitimate for the stated purpose, but ensure the skill declares filesystem:READ access in its capability requirements.
 scripts/publish_all.sh:17
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 publish_all.sh accesses /root/.openclaw/workspace/ only for file listing and siz…
网络访问 NONE NONE No network requests found in any scripts
命令执行 NONE NONE Only uses bash for local file operations and echo statements
环境变量 NONE NONE No environment variable access detected

目录结构

5 文件 · 5.7 KB · 211 行
Markdown 2f · 103L Shell 1f · 65L Text 1f · 24L Python 1f · 19L
├─ 📁 assets
│ └─ 📄 example_asset.txt Text 24L · 865 B
├─ 📁 references
│ └─ 📝 api_reference.md Markdown 34L · 967 B
├─ 📁 scripts
│ ├─ 🐍 example.py Python 19L · 591 B
│ └─ 🔧 publish_all.sh Shell 65L · 1.5 KB
└─ 📝 SKILL.md Markdown 69L · 1.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
python3 unspecified system Only used for placeholder example.py script

安全亮点

✓ No credential harvesting or exfiltration detected
✓ No network requests to external IPs
✓ No base64-encoded commands or obfuscation
✓ No reverse shell or C2 communication
✓ The publish_all.sh script only performs read-only operations (file existence checks and size reporting)
✓ No supply chain risks - only standard libraries used in example.py
✓ Scripts are simple and easily auditable