中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:20 hr ago Rescan
5 /100
auto-pipeline
技能自动开发流水线(PM辅助工具)
This is a legitimate skill development pipeline tool with no malicious behavior. The pre-scan flag for 'rm -rf /' is a false positive - it's a grep pattern used in security scanning, not an actual dangerous command.
Skill Nameauto-pipeline
Duration46.1s
Enginepi
Safe to install
No action required. The skill is safe to use.
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned Creates skill files in ~/.openclaw/workspace/skills/
Shell WRITE WRITE ✓ Aligned Uses bash -n for syntax checking, runs test scripts
Network NONE NONE No curl/wget/network calls found
Environment READ READ ✓ Aligned Reads PIPELINE_STATE_DIR and similar config vars
1 Critical 1 findings
💀
Critical Dangerous Command 危险 Shell 命令
rm -rf /
src/review_engine.sh:325

File Tree

24 files · 111.1 KB · 3604 lines
Shell 13f · 3026L Markdown 8f · 537L JSON 3f · 41L
├─ 📁 docs
│ └─ 📝 PRODUCTION_CHECKLIST.md Markdown 179L · 3.7 KB
├─ 📁 src
│ ├─ 🔧 fix_engine.sh Shell 171L · 5.0 KB
│ ├─ 🔧 plan_reviewer.sh Shell 213L · 6.7 KB
│ ├─ 🔧 prd_reader.sh Shell 205L · 5.9 KB
│ ├─ 🔧 publish_engine.sh Shell 170L · 5.1 KB
│ ├─ 🔧 review_engine.sh Shell 477L · 14.9 KB
│ ├─ 🔧 spawn_engine.sh Shell 289L · 8.5 KB
│ ├─ 🔧 status_manager.sh Shell 172L · 4.8 KB
│ └─ 🔧 task_planner.sh Shell 236L · 7.2 KB
├─ 📁 templates
│ └─ 📋 task_declaration.json JSON 20L · 444 B
├─ 📁 tests
│ ├─ 📁 fixtures
│ │ ├─ 📁 mock_skill
│ │ │ ├─ 📁 src
│ │ │ │ └─ 🔧 main.sh Shell 12L · 265 B
│ │ │ ├─ 📋 package.json JSON 7L · 148 B
│ │ │ ├─ 📝 README.md Markdown 2L · 52 B
│ │ │ ├─ 📝 SKILL.md Markdown 19L · 246 B
│ │ │ └─ 🔧 test_all.sh Shell 15L · 298 B
│ │ ├─ 📁 poor_skill
│ │ │ └─ 📁 src
│ │ │ └─ 🔧 main.sh Shell 3L · 94 B
│ │ ├─ 📝 empty_prd.md Markdown 1L · 9 B
│ │ ├─ 📝 freeform_prd.md Markdown 14L · 240 B
│ │ └─ 📝 sample_prd.md Markdown 30L · 615 B
│ └─ 🔧 test_all.sh Shell 558L · 22.1 KB
├─ 📋 package.json JSON 14L · 458 B
├─ 🔧 pipeline.sh Shell 505L · 15.6 KB
├─ 📝 README.md Markdown 150L · 4.3 KB
└─ 📝 SKILL.md Markdown 142L · 4.5 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
jq * system No Required for JSON processing
bash 4+ system No Shell scripting runtime

Security Positives

✓ Uses 'set -euo pipefail' for safe shell scripting across all modules
✓ No credential theft or API key harvesting detected
✓ No network exfiltration or C2 communication
✓ No base64-encoded obfuscation or anti-analysis techniques
✓ No remote script execution (curl|bash, wget|sh)
✓ State files stored in protected ~/.openclaw/pipeline/ directory
✓ Git operations only affect skill directories, not system paths
✓ MIT License with clear copyright (思捷娅科技 SJYKJ)
✓ All dangerous patterns checked are for security review, not exploitation