中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:22 hr ago Rescan
20 /100
jax-skill-security-scanner
OpenClaw技能安全扫描器 - 专业级安全审计工具
This is a legitimate security scanning tool for OpenClaw skills. It performs static analysis on local files only, with no network exfiltration, credential theft, or obfuscation. The intentionally declared high-risk status is appropriate for a security auditing tool.
Skill Namejax-skill-security-scanner
Duration39.4s
Enginepi
Safe to install
This tool is safe to use for scanning skills. Review code periodically as you would any security tool. The broad security warning in documentation is a minor documentation issue without actual security impact.

Findings 2 items

Severity Finding Location
Low
Overly cautious security warning Doc Mismatch
SKILL.md explicitly labels this tool as 'high risk' with warning banner, which is misleading for a benign security scanner. This is documented intent but could cause unnecessary alarm.
🚨 **安全警告**: 本工具本身被标记为高风险,这是预期的!
→ Consider rephrasing the warning to clarify this is a security tool that legitimately needs file read access, not an actual high-risk skill.
 SKILL.md:1
Low
No production dependencies Supply Chain
package.json has no production dependencies (only devDependency: typescript). All functionality uses built-in Node.js APIs.
"devDependencies": {"typescript": "^5.9.3"}
→ This is a positive finding - minimal attack surface.
 package.json:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned Uses fs/promises for read-only file scanning operations
Network NONE NONE No network calls found in codebase - purely local analysis
Shell NONE NONE No subprocess or shell execution found
Environment NONE NONE No environment variable harvesting - only uses process.argv and path operations
Skill Invoke NONE NONE Tool registration only, no skill-to-skill invocation
8 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/npm/v/@jax-npm/skill-security-scanner.svg
README.md:5
🔗
Medium External URL 外部 URL
https://www.npmjs.com/package/@jax-npm/skill-security-scanner
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-yellow.svg
README.md:6
🔗
Medium External URL 外部 URL
https://opensource.org/licenses/MIT
README.md:6
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/OpenClaw-Compatible-brightgreen.svg
README.md:7
🔗
Medium External URL 外部 URL
https://openclaw.ai
README.md:7
🔗
Medium External URL 外部 URL
https://docs.jax-npm.com/skill-security-scanner
README.md:354
📧
Info Email 邮箱地址
[email protected]
SKILL.md:434

File Tree

17 files · 122.4 KB · 3151 lines
JavaScript 9f · 2089L Markdown 2f · 808L JSON 2f · 165L TypeScript 4f · 89L
├─ 📁 bin
│ └─ 📜 skill-security-scan.js JavaScript 226L · 6.8 KB
├─ 📁 dist
│ ├─ 📜 hallucination-detector.js JavaScript 161L · 9.0 KB
│ ├─ 📜 index.d.ts TypeScript 8L · 338 B
│ ├─ 📜 index.js JavaScript 82L · 3.6 KB
│ ├─ 📜 prompt-poison-detector.js JavaScript 178L · 9.8 KB
│ ├─ 📜 reporter_enhanced.js JavaScript 255L · 9.9 KB
│ ├─ 📜 reporter.d.ts TypeScript 10L · 352 B
│ ├─ 📜 reporter.js JavaScript 439L · 20.3 KB
│ ├─ 📜 scanner-new.js JavaScript 248L · 10.7 KB
│ ├─ 📜 scanner.d.ts TypeScript 53L · 1.4 KB
│ ├─ 📜 scanner.js JavaScript 308L · 13.8 KB
│ ├─ 📜 trojan-detector.d.ts TypeScript 18L · 590 B
│ └─ 📜 trojan-detector.js JavaScript 192L · 9.1 KB
├─ 📋 openclaw.plugin.json JSON 77L · 2.7 KB
├─ 📋 package.json JSON 88L · 2.2 KB
├─ 📝 README.md Markdown 360L · 10.1 KB
└─ 📝 SKILL.md Markdown 448L · 11.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
typescript ^5.9.3 npm No Dev dependency only, not used at runtime

Security Positives

✓ No network calls or data exfiltration detected
✓ No credential harvesting or environment variable theft
✓ No obfuscation techniques (base64, eval, Function constructor used for legitimate pattern matching only)
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)
✓ No subprocess or shell execution
✓ Clean dependency tree with only TypeScript as devDependency
✓ All pattern detection is local static analysis
✓ MIT licensed with transparent open-source intent