auto-pipeline 安全扫描报告 — 可信 | ClawSafe

5 /100

auto-pipeline

技能自动开发流水线（PM辅助工具）

This is a legitimate skill development pipeline tool with no malicious behavior. The pre-scan flag for 'rm -rf /' is a false positive - it's a grep pattern used in security scanning, not an actual dangerous command.

技能名称auto-pipeline

分析耗时46.1s

引擎pi

✓

可以安装

No action required. The skill is safe to use.

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Creates skill files in ~/.openclaw/workspace/skills/
命令执行	`WRITE`	`WRITE`	✓ 一致	Uses bash -n for syntax checking, runs test scripts
网络访问	`NONE`	`NONE`	—	No curl/wget/network calls found
环境变量	`READ`	`READ`	✓ 一致	Reads PIPELINE_STATE_DIR and similar config vars

1 严重 1 项发现

💀

严重危险命令危险 Shell 命令

rm -rf /

src/review_engine.sh:325

目录结构

24 文件 · 111.1 KB · 3604 行

Shell 13f · 3026L Markdown 8f · 537L JSON 3f · 41L

├─ ▾ 📁 docs

│ └─ 📝 PRODUCTION_CHECKLIST.md Markdown 179L · 3.7 KB

├─ ▾ 📁 src

│ ├─ 🔧 fix_engine.sh Shell 171L · 5.0 KB

│ ├─ 🔧 plan_reviewer.sh Shell 213L · 6.7 KB

│ ├─ 🔧 prd_reader.sh Shell 205L · 5.9 KB

│ ├─ 🔧 publish_engine.sh Shell 170L · 5.1 KB

│ ├─ 🔧 review_engine.sh Shell 477L · 14.9 KB

│ ├─ 🔧 spawn_engine.sh Shell 289L · 8.5 KB

│ ├─ 🔧 status_manager.sh Shell 172L · 4.8 KB

│ └─ 🔧 task_planner.sh Shell 236L · 7.2 KB

├─ ▾ 📁 templates

│ └─ 📋 task_declaration.json JSON 20L · 444 B

├─ ▾ 📁 tests

│ ├─ ▾ 📁 fixtures

│ │ ├─ ▾ 📁 mock_skill

│ │ │ ├─ ▾ 📁 src

│ │ │ │ └─ 🔧 main.sh Shell 12L · 265 B

│ │ │ ├─ 📋 package.json JSON 7L · 148 B

│ │ │ ├─ 📝 README.md Markdown 2L · 52 B

│ │ │ ├─ 📝 SKILL.md Markdown 19L · 246 B

│ │ │ └─ 🔧 test_all.sh Shell 15L · 298 B

│ │ ├─ ▾ 📁 poor_skill

│ │ │ └─ ▾ 📁 src

│ │ │ └─ 🔧 main.sh Shell 3L · 94 B

│ │ ├─ 📝 empty_prd.md Markdown 1L · 9 B

│ │ ├─ 📝 freeform_prd.md Markdown 14L · 240 B

│ │ └─ 📝 sample_prd.md Markdown 30L · 615 B

│ └─ 🔧 test_all.sh Shell 558L · 22.1 KB

├─ 📋 package.json JSON 14L · 458 B

├─ 🔧 pipeline.sh Shell 505L · 15.6 KB

├─ 📝 README.md Markdown 150L · 4.3 KB

└─ 📝 SKILL.md Markdown 142L · 4.5 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`jq`	`*`	system	否	Required for JSON processing
`bash`	`4+`	system	否	Shell scripting runtime

安全亮点

✓ Uses 'set -euo pipefail' for safe shell scripting across all modules

✓ No credential theft or API key harvesting detected

✓ No network exfiltration or C2 communication

✓ No base64-encoded obfuscation or anti-analysis techniques

✓ No remote script execution (curl|bash, wget|sh)

✓ State files stored in protected ~/.openclaw/pipeline/ directory

✓ Git operations only affect skill directories, not system paths

✓ MIT License with clear copyright (思捷娅科技 SJYKJ)

✓ All dangerous patterns checked are for security review, not exploitation