qmap-client 安全扫描报告 — 低风险 | ClawSafe

15 /100

qmap-client

CLI tool for the QuantMap distributed computing protocol. Manages node setup, task execution, and result submission on devnet.

Skill consists solely of documentation; no scripts, code, or dependencies are present. All declared behavior is verifiable from the markdown alone, with no hidden functionality detected.

技能名称qmap-client

分析耗时28.5s

引擎pi

✓

可以安装

This skill is a pure documentation wrapper for a third-party npm package. While not immediately dangerous, the entire trust model depends on the integrity of @alphify/qmap-client — an external, unauditable npm dependency. Verify the package provenance on npm before deployment, and consider requesting the package source be included in the skill for transparency.

安全发现 1 项

严重性	安全发现	位置
低危	Third-party npm dependency cannot be audited 供应链 The skill contains only documentation (SKILL.md). All substantive functionality is delegated to the npm package @alphify/qmap-client, which is not bundled and cannot be reviewed from within this skill. The skill's entire security posture depends on the npm package's integrity. `npm i -g @alphify/qmap-client` → Request the package source code be included in the skill for independent security review, or pin to a specific, audited version hash.	`SKILL.md:15`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	SKILL.md makes no filesystem access claims; configuration path ~/.qmap/ mentione…
网络访问	`NONE`	`NONE`	—	SKILL.md describes network participation (devnet node joining) but does not decl…
命令执行	`NONE`	`NONE`	—	No shell commands executed in-skill. npm install and qmap CLI invocations are de…
环境变量	`NONE`	`NONE`	—	No environment variable access described or implied.
技能调用	`NONE`	`NONE`	—	No nested skill invocations declared.
剪贴板	`NONE`	`NONE`	—	No clipboard access mentioned.
浏览器	`NONE`	`NONE`	—	No browser access mentioned.
数据库	`NONE`	`NONE`	—	No database access mentioned.

1 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/qmap-client

SKILL.md:8

目录结构

1 文件 · 1.8 KB · 91 行

Markdown 1f · 91L

└─ 📝 SKILL.md Markdown 91L · 1.8 KB

安全亮点

✓ No executable scripts or code files present — no attack surface beyond documentation.

✓ No credential harvesting, data exfiltration, or obfuscation observed.

✓ No hidden HTML comments, base64 payloads, or subprocess calls.

✓ Declared behavior (devnet CLI tool) is internally consistent and plausible.

✓ Identity files stated as stored locally and never uploaded — a positive security claim.

✓ No sensitive file paths (~/.ssh, ~/.aws, .env) accessed or referenced.