Skill Trust Decision

skill-registry-unified

Name: skill-registry-unified Trust Review Report
Item: skill-registry-unified
Rating: 32
Author: ClawSafe

该技能存在未声明的远程代码执行能力：代码通过 child_process.spawn 执行 npx clawdhub search 从外部安装技能，但 SKILL.md 未声明 shell 权限和远程安装行为。

Install decision first Source: ClawHub Scanned: Apr 6, 2026

Files 3

Artifacts 0

Violations 4

Findings 4

Most direct threat evidence

Critical RCE

未声明的远程代码执行

代码通过 child_process.spawn 执行 npx clawdhub search 命令，该命令会从远程仓库搜索并安装技能。SKILL.md 完全未声明此 shell:WRITE 和 network:READ 能力。

registry_unified.js:40

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

4 undeclared or violating capabilities were inferred.

Pass

Hidden execution and egress

No obvious high-risk egress or execution signals were found.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

Attack Chain

用户输入技能搜索请求

Entry · SKILL.md:1

未声明的 shell 执行 spawn npx clawdhub search

Escalation · registry_unified.js:40

从 ClawHub 下载并安装未知技能

Escalation · registry_unified.js:40

恶意技能获得同等权限，可执行代码/窃取数据

Impact · registry_unified.js:40

What drove the risk score up

未声明的远程执行 +35

SKILL.md未声明但代码通过spawn执行npx clawdhub search安装远程技能

阴影功能 +20

代码实际执行远程安装，但文档完全未提及

安装来源不透明 +15

从clawdhub安装的技能未经过严格安全验证

Most important evidence

Critical RCE

未声明的远程代码执行

代码通过 child_process.spawn 执行 npx clawdhub search 命令，该命令会从远程仓库搜索并安装技能。SKILL.md 完全未声明此 shell:WRITE 和 network:READ 能力。

registry_unified.js:40

必须在 SKILL.md 的 allowed-tools 或 permissions 中声明 shell:WRITE 和 network:READ 权限。

High Doc Mismatch

阴影功能：远程安装技能

SKILL.md 声称'安全安装'但未说明实际通过 clawdhub 从外部源安装代码，存在供应链风险。

SKILL.md:1

明确列出安装来源、验证机制和权限需求。

Medium Supply Chain

缺少依赖版本锁定

代码依赖 js-yaml 但无 package.json 或 requirements.txt 锁定版本。

registry_unified.js, scan-all-skills.js:3

添加 package.json 并锁定 js-yaml 版本。

Low Sensitive Access

有限的安全扫描

vetSkill() 仅检查文件名包含敏感关键字，不扫描文件内容，且发现可疑文件后仅返回 false 而非阻止安装。

registry_unified.js:28

增强安全扫描深度，扫描文件内容，并在发现敏感文件时明确阻止安装流程。

Declared capability vs actual capability

Filesystem Block

Declared NONE

→

Inferred READ

registry_unified.js:18, scan-all-skills.js:26

Filesystem Block

Declared NONE

→

Inferred WRITE

registry_unified.js:0, scan-all-skills.js:60

Shell Block

Declared NONE

→

Inferred WRITE

registry_unified.js:40 npx clawdhub search

Network Block

Declared NONE

→

Inferred READ

registry_unified.js:40 通过npx clawdhub访问远程仓库

Suspicious artifacts and egress

No obvious IOC was extracted.

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
js-yaml	`*`	require (implicit)	No	无 package.json，版本未知

File composition

3 files · 187 lines

JavaScript 2 files · 153 linesMarkdown 1 files · 34 lines

Files of concern · 2

registry_unified.js JavaScript · 83 lines

未声明的远程代码执行 · 有限的安全扫描

SKILL.md Markdown · 34 lines

阴影功能：远程安装技能

Other files · scan-all-skills.js

Security positives

sanitizeInput() 对用户输入做了基础过滤

vetSkill() 尝试检测敏感文件名

代码结构清晰，模块化良好