ai-intelligent-asset-management 安全扫描报告 — 高风险 | ClawSafe

65 /100

ai-intelligent-asset-management

IT 资产管理，硬件/软件全生命周期 (claimed) / AI intelligent ai-intelligent-asset-management (skill.json)

Skill presents itself as a functional IT asset management system but contains zero executable code, creating a deceptive facade with suspicious embedded metadata.

技能名称ai-intelligent-asset-management

分析耗时29.1s

引擎pi

⛔

不要安装此技能

Do not deploy this skill. The absence of any code files despite claiming installation requirements (pip install, python app.py) indicates either an abandoned project or a deceptive placeholder. The embedded YAML metadata is non-standard.

攻击链 3 步

⬡

提权 Skill presents as legitimate IT asset management tool with professional pricing tiers

SKILL.md:1

⬡

提权 Installation instructions reference non-existent requirements.txt and app.py

SKILL.md:27

⬡

提权 No code files exist - skill is purely documentation with no verifiable functionality

SKILL.md:1

安全发现 3 项

严重性	安全发现	位置
高危	Documentation claims executable application with no code 文档欺骗 SKILL.md installation section instructs users to 'pip install -r requirements.txt' and 'python app.py', but neither requirements.txt nor app.py (or any code file) exists in the repository. This is either an abandoned project or a deceptive placeholder. `pip install -r requirements.txt python app.py` → Verify if this is a legitimate placeholder or if code was intentionally omitted. Report to platform if this is a scam.	`SKILL.md:27`
高危	Embedded YAML metadata in SKILL.md 文档欺骗 SKILL.md contains YAML frontmatter (lines 1-9) with openclaw metadata including 'requires: { bins: [] }'. This non-standard documentation structure is unusual and may contain hidden configurations. `--- name: ai-intelligent-asset-management version: 1.0.0 metadata: openclaw: emoji: "🤖" requires: bins: [] ---` → Review why metadata is embedded in SKILL.md instead of skill.json. Verify the 'bins' requirement array is intentionally empty.	`SKILL.md:1`
中危	Description mismatch between SKILL.md and skill.json 文档欺骗 SKILL.md describes 'IT 资产管理，硬件/软件全生命周期' while skill.json has generic 'AI intelligent ai-intelligent-asset-management'. The inconsistency suggests hasty or deceptive creation. `"description": "AI intelligent ai-intelligent-asset-management"` → Ensure skill metadata is consistent across all documentation files.	`skill.json:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No code files present to infer capabilities
网络访问	`NONE`	`NONE`	—	No code files present to infer capabilities
命令执行	`NONE`	`NONE`	—	No code files present to infer capabilities

目录结构

2 文件 · 1.2 KB · 58 行

Markdown 1f · 51L JSON 1f · 7L

├─ 📋 skill.json JSON 7L · 219 B

└─ 📝 SKILL.md Markdown 51L · 1019 B

安全亮点

✓ No malicious code files detected (there are no code files at all)

✓ No network exfiltration patterns found

✓ No credential harvesting code present

✓ No reverse shell or C2 infrastructure indicators