Scan Report
0 /100
godot-bridge
Godot 4.x Project Generator CLI. Create 2D/3D games with 80+ CLI commands: projects, scenes, scripts, levels, UI, game components, physics, particles, animations, materials, and export to HTML5/Windows/macOS/Linux/Android/iOS.
ClawBridge is a legitimate Godot 4.x project generator CLI with no malicious behavior detected. All functionality (filesystem writes, shell execution for `godot --path`) is documented, scoped, and necessary for game project generation.
Safe to install
No action needed. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md metadata declares node binary; clawbridge.js uses fs.writeFileSync/mkdi… |
| Shell | WRITE | WRITE | ✓ Aligned | clawbridge.js:728 — execSync('godot --path ...') only for the 'open' command |
| Network | READ | READ | ✓ Aligned | clawbridge.js:31 — http://www.w3.org/2000/svg in SVG icon; clawbridge.js:728 — h… |
| Environment | NONE | NONE | — | No process.env access found |
| Clipboard | NONE | NONE | — | No clipboard module usage |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database module usage |
| Skill Invoke | NONE | NONE | — | No skill invocation |
2 findings
Medium External URL 外部 URL
http://www.w3.org/2000/svg clawbridge.js:31 Medium External URL 外部 URL
https://godotengine.org clawbridge.js:728 File Tree
2 files · 40.2 KB · 909 lines JavaScript 1f · 740L
Markdown 1f · 169L
├─
clawbridge.js
JavaScript
└─
SKILL.md
Markdown
Security Positives
✓ No obfuscation (no base64, no eval with encoded strings)
✓ No credential harvesting or environment variable enumeration
✓ No network exfiltration or C2 communication
✓ No remote script execution (curl|bash, wget|sh)
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No supply chain risks — no external dependencies (no package.json, no requirements.txt)
✓ Documentation accurately reflects implementation behavior
✓ Shell execution (execSync) is scoped only to 'godot --path' for the documented 'open' command
✓ All filesystem writes are project-scoped within the generated game directory