lowcode-platform-development 安全扫描报告 — 可疑 | ClawSafe

35 /100

lowcode-platform-development

Automates low-code platform creation with Vue2+ElementUI frontend and Java Spring Boot backend

SKILL.md declares executable scripts and shell operations that do not exist in the package - this is a doc-to-code mismatch where documentation describes potentially dangerous capabilities (PowerShell execution, npm/maven builds) without any actual implementation.

技能名称lowcode-platform-development

分析耗时38.2s

引擎pi

⚠

谨慎使用

Verify the skill's completeness before use. The referenced scripts/generate_project.ps1 is missing, and template directories contain only README placeholders. Request implementation files or clarification from the skill author.

安全发现 3 项

严重性	安全发现	位置
中危	Declared PowerShell script missing 文档欺骗 SKILL.md references 'scripts/generate_project.ps1' as the execution mechanism but this file does not exist in the package. Pre-scan confirms hasScripts: false. `- scripts/generate_project.ps1 – PowerShell script that runs the scaffold commands.` → Remove script reference or provide the actual implementation file	`SKILL.md:26`
中危	Template files are placeholders only 文档欺骗 Both template directories (vue-template, spring-boot-template) contain only README.md files stating 'files are omitted for brevity'. No actual scaffold code exists. `This folder should contain a minimal Vue2 project scaffold... For brevity, the actual files are omitted.` → Provide actual template files or indicate this is a documentation-only skill	`assets/vue-template/README.md:1`
低危	Shell execution described but not implemented 文档欺骗 SKILL.md describes running 'npm install' and 'mvn package' commands, implying shell:WRITE capability, but no script exists to perform these operations. The script creates... and runs `npm install` and `mvn package`. → If shell execution is intended, provide the implementation; otherwise update docs	`SKILL.md:32`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No implementation files exist to verify file operations
命令执行	`NONE`	`NONE`	—	SKILL.md:31 mentions scripts/generate_project.ps1 but file does not exist
网络访问	`NONE`	`NONE`	—	No network access observed

目录结构

5 文件 · 5.5 KB · 114 行

Markdown 4f · 96L YAML 1f · 18L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 spring-boot-template

│ │ └─ 📝 README.md Markdown 8L · 363 B

│ └─ ▾ 📁 vue-template

│ └─ 📝 README.md Markdown 9L · 351 B

├─ ▾ 📁 docker

│ └─ 📋 docker-compose.yml YAML 18L · 361 B

├─ ▾ 📁 references

│ └─ 📝 architecture.md Markdown 38L · 1.9 KB

└─ 📝 SKILL.md Markdown 41L · 2.5 KB

安全亮点

✓ No actual malicious code present in the package

✓ No credential harvesting or exfiltration mechanisms

✓ No obfuscated or base64-encoded payloads

✓ No suspicious network requests or C2 indicators

✓ No sensitive path access observed (no ~/.ssh, ~/.aws, .env access)

✓ No reverse shell or RCE payloads