palette 安全扫描报告 — 可疑 | ClawSafe

45 /100

palette

Color Palette Generation & Management Tool

The skill claims to generate color palettes using color theory algorithms, but the actual implementation merely logs command invocations without performing any color processing. Additionally, undeclared commands (stats, search, recent, status) exist in the script.

技能名称palette

分析耗时28.8s

引擎pi

⚠

谨慎使用

Review the mismatch between documented color theory functionality and actual logging-only behavior. Verify if this is abandoned/dead code or intentionally minimal functionality disguised as a full tool.

安全发现 4 项

严重性	安全发现	位置
高危	Core color theory functionality not implemented 文档欺骗 SKILL.md describes generating 'harmonious color palettes using color theory (complementary, analogous, triadic)' and 'create random palettes', but script.sh contains zero color processing code. Commands only append timestamps to log files. `echo "$ts\|create\|${*}" >> "$DATA_DIR/create.log"` → Either implement the documented color theory algorithms or update SKILL.md to accurately reflect that this skill only logs command invocations.	`scripts/script.sh:54`
中危	Undeclared commands present in script 文档欺骗 Commands 'stats', 'search', 'recent', and 'status' are implemented in script.sh but not documented in SKILL.md. The 'search' command uses grep on log files. `cmd_stats() { echo "=== palette Statistics ==="; ... }` → Document all available commands or remove undocumented ones.	`scripts/script.sh:68`
低危	Export formats not implemented as documented 文档欺骗 SKILL.md claims export to 'CSS custom properties, JSON, SVG swatches, Tailwind config, or SCSS variables'. The actual cmd_export only supports json/csv/txt formats and exports log data, not color palettes. `case "$fmt" in json\|csv\|txt)` → Update documentation to match implemented formats or implement claimed formats.	`scripts/script.sh:74`
低危	Duplicate case label for 'export' command code_quality The case statement has 'export)' appearing twice (lines 54 and 74). The first handler just logs; the second does actual work. The first 'export' case is unreachable dead code. `export) ... ;; export) cmd_export ...` → Remove the duplicate case label or clarify intent.	`scripts/script.sh:54`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	script.sh:10 mkdir -p ~/.palette; script.sh passes
命令执行	`NONE`	`READ`	✓ 一致	script.sh:58-65 uses grep on log files; minor

2 项发现

🔗

中危外部 URL 外部 URL

https://bytesagain.com

SKILL.md:6

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:144

目录结构

2 文件 · 11.3 KB · 371 行

Shell 1f · 227L Markdown 1f · 144L

├─ ▾ 📁 scripts

│ └─ 🔧 script.sh Shell 227L · 7.1 KB

└─ 📝 SKILL.md Markdown 144L · 4.2 KB

安全亮点

✓ No credential harvesting or environment variable iteration for sensitive keys

✓ No network requests or data exfiltration observed

✓ No base64 encoding, eval(), or obfuscation techniques

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No supply chain risks detected (no external dependencies)