wangwei-touch Security Report — Low Risk | ClawSafe

20 /100

wangwei-touch

echo ni shuo de hua

The skill consists of three nearly identical scripts that merely echo 'abc' 50 times, with no network, credential, or sensitive file access. The primary concern is misleading naming (touch) and documentation that does not accurately describe the trivial functionality.

Skill Namewangwei-touch

Duration34.2s

Enginepi

✓

Safe to install

Improve SKILL.md documentation to accurately reflect that scripts simply echo static text. Rename scripts to match their actual behavior. Consider consolidating the three duplicate scripts into one.

Findings 3 items

Severity	Finding	Location
Low	Script naming misleads about functionality Doc Mismatch Scripts are named 'touch.sh', 'touch1.sh', and 'touch2.sh' suggesting file creation operations, but they only echo the static string 'abc' 50 times. This is a doc/code mismatch where naming implies file operations that do not exist. `#!/bin/bash echo "abc"` → Rename scripts to accurately reflect their behavior (e.g., echo_abc.sh) or update them to actually perform the touch/file operations implied by the names.	`scripts/touch.sh:1`
Low	SKILL.md provides vague, non-informative documentation Doc Mismatch The description 'echo ni shuo de hua' and documentation provide no meaningful guidance on what the skill does, its inputs, outputs, or purpose. Three scripts are presented with identical descriptions. `--- name: wangwei-touch description: echo ni shuo de hua ---` → Write clear documentation explaining what the skill does, including parameter descriptions, expected inputs/outputs, and use cases.	`SKILL.md:1`
Low	Three duplicate scripts with no clear differentiation Doc Mismatch touch.sh, touch1.sh, and touch2.sh are functionally identical, each echoing 'abc' exactly 50 times. This duplication serves no apparent purpose and clutters the skill. `#!/bin/bash # echo.sh - echo abc` → Consolidate into a single script and remove duplicates. If differentiation is needed, document why each variant exists.	`scripts/touch1.sh:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in any script
Network	`NONE`	`NONE`	—	No network requests in any script
Shell	`NONE`	`NONE`	—	No subprocess or external command execution
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser interaction
Database	`NONE`	`NONE`	—	No database access

File Tree

4 files · 2.2 KB · 198 lines

Shell 3f · 171L Markdown 1f · 27L

├─ ▾ 📁 scripts

│ ├─ 🔧 touch.sh Shell 57L · 626 B

│ ├─ 🔧 touch1.sh Shell 57L · 626 B

│ └─ 🔧 touch2.sh Shell 57L · 626 B

└─ 📝 SKILL.md Markdown 27L · 396 B

Security Positives

✓ No network requests or external communications

✓ No credential harvesting or environment variable access

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env access)

✓ No remote script execution (no curl|bash or wget|sh patterns)

✓ No reverse shell, C2, or data exfiltration behavior

✓ No supply chain risks (no external dependencies)

Scan Report

Findings 3 items

File Tree

Security Positives