wangwei-touch 安全扫描报告 — 低风险 | ClawSafe

20 /100

wangwei-touch

echo ni shuo de hua

The skill consists of three nearly identical scripts that merely echo 'abc' 50 times, with no network, credential, or sensitive file access. The primary concern is misleading naming (touch) and documentation that does not accurately describe the trivial functionality.

技能名称wangwei-touch

分析耗时34.2s

引擎pi

✓

可以安装

Improve SKILL.md documentation to accurately reflect that scripts simply echo static text. Rename scripts to match their actual behavior. Consider consolidating the three duplicate scripts into one.

安全发现 3 项

严重性	安全发现	位置
低危	Script naming misleads about functionality 文档欺骗 Scripts are named 'touch.sh', 'touch1.sh', and 'touch2.sh' suggesting file creation operations, but they only echo the static string 'abc' 50 times. This is a doc/code mismatch where naming implies file operations that do not exist. `#!/bin/bash echo "abc"` → Rename scripts to accurately reflect their behavior (e.g., echo_abc.sh) or update them to actually perform the touch/file operations implied by the names.	`scripts/touch.sh:1`
低危	SKILL.md provides vague, non-informative documentation 文档欺骗 The description 'echo ni shuo de hua' and documentation provide no meaningful guidance on what the skill does, its inputs, outputs, or purpose. Three scripts are presented with identical descriptions. `--- name: wangwei-touch description: echo ni shuo de hua ---` → Write clear documentation explaining what the skill does, including parameter descriptions, expected inputs/outputs, and use cases.	`SKILL.md:1`
低危	Three duplicate scripts with no clear differentiation 文档欺骗 touch.sh, touch1.sh, and touch2.sh are functionally identical, each echoing 'abc' exactly 50 times. This duplication serves no apparent purpose and clutters the skill. `#!/bin/bash # echo.sh - echo abc` → Consolidate into a single script and remove duplicates. If differentiation is needed, document why each variant exists.	`scripts/touch1.sh:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in any script
网络访问	`NONE`	`NONE`	—	No network requests in any script
命令执行	`NONE`	`NONE`	—	No subprocess or external command execution
环境变量	`NONE`	`NONE`	—	No environment variable access
技能调用	`NONE`	`NONE`	—	No skill invocation observed
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser interaction
数据库	`NONE`	`NONE`	—	No database access

目录结构

4 文件 · 2.2 KB · 198 行

Shell 3f · 171L Markdown 1f · 27L

├─ ▾ 📁 scripts

│ ├─ 🔧 touch.sh Shell 57L · 626 B

│ ├─ 🔧 touch1.sh Shell 57L · 626 B

│ └─ 🔧 touch2.sh Shell 57L · 626 B

└─ 📝 SKILL.md Markdown 27L · 396 B

安全亮点

✓ No network requests or external communications

✓ No credential harvesting or environment variable access

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env access)

✓ No remote script execution (no curl|bash or wget|sh patterns)

✓ No reverse shell, C2, or data exfiltration behavior

✓ No supply chain risks (no external dependencies)