jest-unittest 安全扫描报告 — 可信 | ClawSafe

5 /100

jest-unittest

Jest-based unit test management skill providing coverage detection, auto-completion to 100%, and test failure diagnosis/fixing for frontend projects

Jest-based unit test management skill with well-documented functionality, appropriate permissions, and no malicious indicators.

技能名称jest-unittest

分析耗时42.3s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 3 项

严重性	安全发现	位置
提示	Broad file write capabilities in unittest-completer The unittest-completer sub-skill has Write/Edit/MultiEdit permissions to create and modify test files. This is necessary for its auto-completion feature but grants broader file write access than the testing domain alone. `allowed-tools: Read, Edit, MultiEdit, Write, Bash, Glob, Grep, TaskCreate, TaskUpdate, TaskList` → This is legitimate behavior for a test auto-completion tool. Test files are created in the project's designated test directory ($PATH/$testDir/), not arbitrary locations.	`sub-skills/unittest-completer/SKILL.md:5`
提示	Configuration isolation using project hash The skill stores project-specific configuration in .temp/projects/<hash>/ using MD5 hash of project root. This prevents configuration conflicts between multiple projects. `const projectDir = path.join(skillRoot, '.temp', 'projects', hash);` → Security-positive design: isolates per-project config and uses .temp/ (outside git) for temporary data.	`scripts/resolve-project.cjs:67`
提示	Legitimate Jest command execution The skill uses execSync to run `npx jest` commands for testing. This is expected behavior for a unit testing tool. `execSync(testCommand, { cwd: projectRoot, encoding: 'utf-8', ... })` → No action needed - this is the core functionality of the skill.	`scripts/analyze-coverage/index.cjs:41`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ,WRITE`	`READ,WRITE`	✓ 一致	unittest-completer/SKILL.md declares Write/Edit for test file creation; unittest…
命令执行	`WRITE`	`WRITE`	✓ 一致	Bash tool declared in all sub-skills; used to run `npx jest` commands which is e…
网络访问	`NONE`	`NONE`	—	No network requests found; only runs local Jest commands
环境变量	`NONE`	`NONE`	—	No sensitive environment variable access or exfiltration
数据库	`NONE`	`NONE`	—	No database access
剪贴板	`NONE`	`NONE`	—	No clipboard access

目录结构

13 文件 · 57.7 KB · 1699 行

JavaScript 6f · 1017L Markdown 6f · 677L JSON 1f · 5L

├─ ▾ 📁 scripts

│ ├─ 📜 guard-config.cjs JavaScript 70L · 2.6 KB

│ ├─ 📜 reload.cjs JavaScript 201L · 6.6 KB

│ └─ 📜 resolve-project.cjs JavaScript 94L · 2.7 KB

├─ ▾ 📁 sub-skills

│ ├─ ▾ 📁 unittest-checker

│ │ ├─ ▾ 📁 scripts

│ │ │ └─ ▾ 📁 analyze-coverage

│ │ │ └─ 📜 index.cjs JavaScript 198L · 5.5 KB

│ │ └─ 📝 SKILL.md Markdown 46L · 2.0 KB

│ ├─ ▾ 📁 unittest-completer

│ │ ├─ ▾ 📁 scripts

│ │ │ └─ ▾ 📁 check-coverage-100

│ │ │ ├─ 📜 index.cjs JavaScript 221L · 6.3 KB

│ │ │ └─ 📝 README.md Markdown 106L · 2.7 KB

│ │ └─ 📝 SKILL.md Markdown 154L · 6.8 KB

│ └─ ▾ 📁 unittest-doctor

│ ├─ ▾ 📁 scripts

│ │ └─ ▾ 📁 test-error-reporter

│ │ └─ 📜 index.cjs JavaScript 233L · 7.9 KB

│ └─ 📝 SKILL.md Markdown 174L · 7.1 KB

├─ 📋 _meta.json JSON 5L · 80 B

├─ 📝 README.md Markdown 149L · 5.0 KB

└─ 📝 SKILL.md Markdown 48L · 2.3 KB

安全亮点

✓ Comprehensive documentation with SKILL.md files for main skill and all sub-skills

✓ Project configuration isolation prevents cross-project data leakage

✓ Uses .temp/ directory (outside git) for temporary files and coverage reports

✓ No credential harvesting, sensitive path access, or data exfiltration

✓ No base64-encoded payloads, hidden instructions, or obfuscated code

✓ Clear error handling with specific error types (config_error, env_error, test_error)

✓ Legitimate subprocess usage for running Jest tests - documented and necessary

✓ Jest configuration parsing uses regex extraction - no unsafe eval()

✓ No external network requests except `npx jest --version` for version detection