中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:19 hr ago Rescan
15 /100
qmap-client
CLI tool for the QuantMap distributed computing protocol. Manages node setup, task execution, and result submission on devnet.
Skill consists solely of documentation; no scripts, code, or dependencies are present. All declared behavior is verifiable from the markdown alone, with no hidden functionality detected.
Skill Nameqmap-client
Duration28.5s
Enginepi
Safe to install
This skill is a pure documentation wrapper for a third-party npm package. While not immediately dangerous, the entire trust model depends on the integrity of @alphify/qmap-client — an external, unauditable npm dependency. Verify the package provenance on npm before deployment, and consider requesting the package source be included in the skill for transparency.

Findings 1 items

Severity Finding Location
Low
Third-party npm dependency cannot be audited Supply Chain
The skill contains only documentation (SKILL.md). All substantive functionality is delegated to the npm package @alphify/qmap-client, which is not bundled and cannot be reviewed from within this skill. The skill's entire security posture depends on the npm package's integrity.
npm i -g @alphify/qmap-client
→ Request the package source code be included in the skill for independent security review, or pin to a specific, audited version hash.
 SKILL.md:15
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE SKILL.md makes no filesystem access claims; configuration path ~/.qmap/ mentione…
Network NONE NONE SKILL.md describes network participation (devnet node joining) but does not decl…
Shell NONE NONE No shell commands executed in-skill. npm install and qmap CLI invocations are de…
Environment NONE NONE No environment variable access described or implied.
Skill Invoke NONE NONE No nested skill invocations declared.
Clipboard NONE NONE No clipboard access mentioned.
Browser NONE NONE No browser access mentioned.
Database NONE NONE No database access mentioned.
1 findings
🔗
Medium External URL 外部 URL
https://clawhub.com/skills/qmap-client
SKILL.md:8

File Tree

1 files · 1.8 KB · 91 lines
Markdown 1f · 91L
└─ 📝 SKILL.md Markdown 91L · 1.8 KB

Security Positives

✓ No executable scripts or code files present — no attack surface beyond documentation.
✓ No credential harvesting, data exfiltration, or obfuscation observed.
✓ No hidden HTML comments, base64 payloads, or subprocess calls.
✓ Declared behavior (devnet CLI tool) is internally consistent and plausible.
✓ Identity files stated as stored locally and never uploaded — a positive security claim.
✓ No sensitive file paths (~/.ssh, ~/.aws, .env) accessed or referenced.