palette Security Report — Suspicious | ClawSafe

45 /100

palette

Color Palette Generation & Management Tool

The skill claims to generate color palettes using color theory algorithms, but the actual implementation merely logs command invocations without performing any color processing. Additionally, undeclared commands (stats, search, recent, status) exist in the script.

Skill Namepalette

Duration28.8s

Enginepi

⚠

Use with caution

Review the mismatch between documented color theory functionality and actual logging-only behavior. Verify if this is abandoned/dead code or intentionally minimal functionality disguised as a full tool.

Findings 4 items

Severity	Finding	Location
High	Core color theory functionality not implemented Doc Mismatch SKILL.md describes generating 'harmonious color palettes using color theory (complementary, analogous, triadic)' and 'create random palettes', but script.sh contains zero color processing code. Commands only append timestamps to log files. `echo "$ts\|create\|${*}" >> "$DATA_DIR/create.log"` → Either implement the documented color theory algorithms or update SKILL.md to accurately reflect that this skill only logs command invocations.	`scripts/script.sh:54`
Medium	Undeclared commands present in script Doc Mismatch Commands 'stats', 'search', 'recent', and 'status' are implemented in script.sh but not documented in SKILL.md. The 'search' command uses grep on log files. `cmd_stats() { echo "=== palette Statistics ==="; ... }` → Document all available commands or remove undocumented ones.	`scripts/script.sh:68`
Low	Export formats not implemented as documented Doc Mismatch SKILL.md claims export to 'CSS custom properties, JSON, SVG swatches, Tailwind config, or SCSS variables'. The actual cmd_export only supports json/csv/txt formats and exports log data, not color palettes. `case "$fmt" in json\|csv\|txt)` → Update documentation to match implemented formats or implement claimed formats.	`scripts/script.sh:74`
Low	Duplicate case label for 'export' command code_quality The case statement has 'export)' appearing twice (lines 54 and 74). The first handler just logs; the second does actual work. The first 'export' case is unreachable dead code. `export) ... ;; export) cmd_export ...` → Remove the duplicate case label or clarify intent.	`scripts/script.sh:54`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	script.sh:10 mkdir -p ~/.palette; script.sh passes
Shell	`NONE`	`READ`	✓ Aligned	script.sh:58-65 uses grep on log files; minor

2 findings

🔗

Medium External URL 外部 URL

https://bytesagain.com

SKILL.md:6

📧

Info Email 邮箱地址

[email protected]

SKILL.md:144

File Tree

2 files · 11.3 KB · 371 lines

Shell 1f · 227L Markdown 1f · 144L

├─ ▾ 📁 scripts

│ └─ 🔧 script.sh Shell 227L · 7.1 KB

└─ 📝 SKILL.md Markdown 144L · 4.2 KB

Security Positives

✓ No credential harvesting or environment variable iteration for sensitive keys

✓ No network requests or data exfiltration observed

✓ No base64 encoding, eval(), or obfuscation techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No supply chain risks detected (no external dependencies)

Scan Report

Findings 4 items

File Tree

Security Positives