thecorporation-form-and-operate 安全扫描报告 — 低风险 | ClawSafe

20 /100

thecorporation-form-and-operate

CLI skill for corporate governance management via npx corp command

This skill is pure documentation for a corporate governance CLI tool with no executable code. The only concern is unpinned npx package dependency which introduces minor supply chain risk.

技能名称thecorporation-form-and-operate

分析耗时35.7s

引擎pi

✓

可以安装

Consider pinning the npm package version (e.g., @thecorporation/[email protected]) in the install section to ensure reproducibility and prevent unexpected changes.

安全发现 1 项

严重性	安全发现	位置
低危	Unpinned npm package version 供应链 The skill declares '@thecorporation/cli' without a version constraint. Using npx without pinning allows the package to be updated at any time, potentially introducing malicious changes or breaking changes. `install: - kind: node package: "@thecorporation/cli"` → Pin to a specific version: package: "@thecorporation/[email protected]"	`SKILL.md:7`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	SKILL.md is documentation only with no file operations
网络访问	`NONE`	`NONE`	—	No network calls in the skill documentation
命令执行	`NONE`	`NONE`	—	SKILL.md contains no shell commands; npx usage is documented for CLI invocation …
环境变量	`NONE`	`NONE`	—	No environment variable access documented
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard operations
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No direct database access

2 项发现

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:85

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:86

目录结构

1 文件 · 19.1 KB · 479 行

Markdown 1f · 479L

└─ 📝 SKILL.md Markdown 479L · 19.1 KB

安全亮点

✓ Pure documentation file with no executable code

✓ No obfuscation or hidden functionality

✓ No credential harvesting or sensitive data access

✓ No network calls within the skill

✓ No shell command injection vectors

✓ Documentation accurately reflects stated functionality