jax-skill-security-scanner 安全扫描报告 — 低风险 | ClawSafe

20 /100

jax-skill-security-scanner

OpenClaw技能安全扫描器 - 专业级安全审计工具

This is a legitimate security scanning tool for OpenClaw skills. It performs static analysis on local files only, with no network exfiltration, credential theft, or obfuscation. The intentionally declared high-risk status is appropriate for a security auditing tool.

技能名称jax-skill-security-scanner

分析耗时39.4s

引擎pi

✓

可以安装

This tool is safe to use for scanning skills. Review code periodically as you would any security tool. The broad security warning in documentation is a minor documentation issue without actual security impact.

安全发现 2 项

严重性	安全发现	位置
低危	Overly cautious security warning 文档欺骗 SKILL.md explicitly labels this tool as 'high risk' with warning banner, which is misleading for a benign security scanner. This is documented intent but could cause unnecessary alarm. `🚨 安全警告: 本工具本身被标记为高风险，这是预期的！` → Consider rephrasing the warning to clarify this is a security tool that legitimately needs file read access, not an actual high-risk skill.	`SKILL.md:1`
低危	No production dependencies 供应链 package.json has no production dependencies (only devDependency: typescript). All functionality uses built-in Node.js APIs. `"devDependencies": {"typescript": "^5.9.3"}` → This is a positive finding - minimal attack surface.	`package.json:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Uses fs/promises for read-only file scanning operations
网络访问	`NONE`	`NONE`	—	No network calls found in codebase - purely local analysis
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`NONE`	—	No environment variable harvesting - only uses process.argv and path operations
技能调用	`NONE`	`NONE`	—	Tool registration only, no skill-to-skill invocation

8 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/npm/v/@jax-npm/skill-security-scanner.svg

README.md:5

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/package/@jax-npm/skill-security-scanner

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:6

🔗

中危外部 URL 外部 URL

https://opensource.org/licenses/MIT

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/OpenClaw-Compatible-brightgreen.svg

README.md:7

🔗

中危外部 URL 外部 URL

https://openclaw.ai

README.md:7

🔗

中危外部 URL 外部 URL

https://docs.jax-npm.com/skill-security-scanner

README.md:354

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:434

目录结构

17 文件 · 122.4 KB · 3151 行

JavaScript 9f · 2089L Markdown 2f · 808L JSON 2f · 165L TypeScript 4f · 89L

├─ ▾ 📁 bin

│ └─ 📜 skill-security-scan.js JavaScript 226L · 6.8 KB

├─ ▾ 📁 dist

│ ├─ 📜 hallucination-detector.js JavaScript 161L · 9.0 KB

│ ├─ 📜 index.d.ts TypeScript 8L · 338 B

│ ├─ 📜 index.js JavaScript 82L · 3.6 KB

│ ├─ 📜 prompt-poison-detector.js JavaScript 178L · 9.8 KB

│ ├─ 📜 reporter_enhanced.js JavaScript 255L · 9.9 KB

│ ├─ 📜 reporter.d.ts TypeScript 10L · 352 B

│ ├─ 📜 reporter.js JavaScript 439L · 20.3 KB

│ ├─ 📜 scanner-new.js JavaScript 248L · 10.7 KB

│ ├─ 📜 scanner.d.ts TypeScript 53L · 1.4 KB

│ ├─ 📜 scanner.js JavaScript 308L · 13.8 KB

│ ├─ 📜 trojan-detector.d.ts TypeScript 18L · 590 B

│ └─ 📜 trojan-detector.js JavaScript 192L · 9.1 KB

├─ 📋 openclaw.plugin.json JSON 77L · 2.7 KB

├─ 📋 package.json JSON 88L · 2.2 KB

├─ 📝 README.md Markdown 360L · 10.1 KB

└─ 📝 SKILL.md Markdown 448L · 11.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`typescript`	`^5.9.3`	npm	否	Dev dependency only, not used at runtime

安全亮点

✓ No network calls or data exfiltration detected

✓ No credential harvesting or environment variable theft

✓ No obfuscation techniques (base64, eval, Function constructor used for legitimate pattern matching only)

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)

✓ No subprocess or shell execution

✓ Clean dependency tree with only TypeScript as devDependency

✓ All pattern detection is local static analysis

✓ MIT licensed with transparent open-source intent