中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
skill-isolator
Project-based skill isolation and management. Enables different projects to use different skill sets with automatic loading.
Skill-isolator is a legitimate project-based skill management tool with well-documented functionality and no malicious behavior observed.
技能名称skill-isolator
分析耗时35.4s
引擎pi
可以安装
This skill is safe to use. The shell execution (execSync for clawhub install) and rm commands are documented and necessary for the stated functionality.

安全发现 2 项

严重性 安全发现 位置
低危
Shell execution via execSync 代码执行
Script uses child_process.execSync to run 'clawhub install' command. This is documented and necessary for the skill installation feature.
execSync(cmd, { stdio: 'inherit', cwd: process.cwd(), env: {...process.env, FORCE_COLOR: '1'} })
→ No action needed - this is documented functionality for installing skills from clawhub registry
 scripts/sync-project-skills.js:78
低危
Documentation of rm -rf command 文档欺骗
FAQ.md line 188 documents 'rm -rf ~/.openclaw/skills/<skill-name>' as a legitimate skill uninstall method. This is standard CLI practice and properly documented.
rm -rf ~/.openclaw/skills/<skill-name>
→ No action needed - documented uninstall procedure for the skill's own directory
 references/faq.md:188
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 SKILL.md: Reads/writes .openclaw-skills.json in project; accesses ~/.openclaw fo…
命令执行 NONE WRITE ✓ 一致 scripts/sync-project-skills.js:28 - Uses execSync to run 'clawhub install'
网络访问 NONE READ ✓ 一致 Installs skills from clawhub registry
1 严重 3 项发现
💀
严重 危险命令 危险 Shell 命令
rm -rf ~
references/faq.md:188
🔗
中危 外部 URL 外部 URL
https://discord.com/invite/clawd
references/faq.md:426
📧
提示 邮箱 邮箱地址
[email protected]
references/tutorials.md:283

目录结构

12 文件 · 73.3 KB · 3461 行
Markdown 7f · 2576L JavaScript 3f · 801L JSON 2f · 84L
├─ 📁 references
│ ├─ 📋 example-config.json JSON 48L · 888 B
│ ├─ 📝 faq.md Markdown 434L · 8.0 KB
│ ├─ 📝 quick-reference.md Markdown 133L · 2.3 KB
│ ├─ 📝 tutorials.md Markdown 522L · 9.9 KB
│ └─ 📝 usage-guide.md Markdown 625L · 11.1 KB
├─ 📁 scripts
│ ├─ 📜 init-project-config.js JavaScript 162L · 4.2 KB
│ ├─ 📜 sync-project-skills.js JavaScript 338L · 9.1 KB
│ └─ 📜 validate-config.js JavaScript 301L · 8.5 KB
├─ 📋 package.json JSON 36L · 997 B
├─ 📝 README.md Markdown 133L · 3.0 KB
├─ 📝 SKILL.md Markdown 414L · 8.8 KB
└─ 📝 TEST-REPORT.md Markdown 315L · 6.6 KB

依赖分析 4 项

包名版本来源已知漏洞备注
fs built-in node Built-in Node.js module
path built-in node Built-in Node.js module
child_process built-in node Built-in Node.js module
readline built-in node Built-in Node.js module

安全亮点

✓ No credential harvesting or environment variable scanning for sensitive keys
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No hidden functionality - all features declared in SKILL.md
✓ No external IP connections except to documented clawhub registry
✓ File operations restricted to ~/.openclaw directory
✓ No supply chain risks - no external dependencies with vulnerabilities
✓ Comprehensive documentation matches code implementation
✓ Proper error handling and input validation