中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Suspicious — Risk Score 45/100
Last scan:2 hr ago Rescan
45 /100
typescript-package-manager
TypeScript包管理器专家技能,涵盖npm、yarn、pnpm、bun、deno的配置和管理知识
技能声称提供知识指导,但实现代码包含远程脚本执行(curl|bash管道)和未声明的shell执行能力,文档-行为存在差异
Skill Nametypescript-package-manager
Duration56.3s
Enginepi
ClawHub TypeScript Package Manager v1.0.0 by jhauga
📥 215
ClawHub Verdict Suspicious dangerous_exec
Use with caution
建议审查:远程脚本执行命令需明确声明;考虑移除curl|bash管道模式,改用官方包管理器安装

Attack Chain 4 steps

Entry 用户调用typescript-package-manager技能
SKILL.md:1
Escalation 脚本通过execSync执行shell命令检测Bun是否安装
scripts/bun-workflow.js:37
Escalation Bun未安装时输出curl|bash远程安装命令
scripts/bun-workflow.js:195
Impact 用户若执行该命令,系统将执行来自远程URL的脚本(风险取决于URL安全性)
scripts/bun-workflow.js:195

Findings 4 items

Severity Finding Location
High
远程脚本管道执行 RCE
bun-workflow.js:195 和 pnpm-workflow.md:51 包含 curl -fsSL <url> | bash/sh 模式,这是经典的高危远程代码执行模式。虽然用于安装合法工具,但存在被替换URL进行攻击的风险。
curl -fsSL https://bun.sh/install | bash
→ 改用安全的安装方式:npm install -g bun 或 corepack enable pnpm
 scripts/bun-workflow.js:195
Medium
声明能力与实际行为不符 Doc Mismatch
SKILL.md声称是'知识技能',但scripts/文件夹中的脚本实际执行shell命令(execSync)并可能修改系统状态。这属于阴影功能。
Expert 10x Software engineer specializing in TypeScript with deep knowledge...
→ 在SKILL.md中明确声明脚本将执行shell命令
 SKILL.md:1
Medium
shell执行能力未声明 Priv Escalation
脚本使用execSync执行任意shell命令(如npm audit, tsc, npx等),但SKILL.md的allowed-tools中未声明shell:WRITE权限。
execSync(cmd, { encoding: 'utf8', stdio: 'pipe' })
→ 在文档中明确声明需要shell执行权限及用途
 scripts/bun-workflow.js:27
Low
外部URL依赖 Supply Chain
多处引用外部URL(bun.sh, pnpm.io等)作为文档链接和安装源,依赖第三方基础设施。
https://bun.sh/install, https://get.pnpm.io/install.sh
→ 考虑使用更稳定的安装方式减少供应链风险
 scripts/bun-workflow.js, scripts/pnpm-workflow.md:120,195,51
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned 脚本仅读取本地文件如tsconfig.json、package.json
Shell NONE WRITE ✗ Violation scripts/bun-workflow.js:195, scripts/pnpm-workflow.md:51 - curl|bash管道远程执行
Network NONE READ ✓ Aligned 脚本访问外部URL获取安装脚本,但作为工具安装的一部分
Environment NONE READ ✓ Aligned health-check.js通过execSync执行npm audit读取环境
2 Critical 50 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -fsSL https://bun.sh/install | bash
scripts/bun-workflow.js:195
💀
Critical Dangerous Command 危险 Shell 命令
curl -fsSL https://get.pnpm.io/install.sh | sh
scripts/pnpm-workflow.md:51
🔗
Medium External URL 外部 URL
https://yourwebsite.com
assets/package-json-template.md:25
🔗
Medium External URL 外部 URL
https://docs.npmjs.com/cli/v9/configuring-npm/package-json
assets/package-json-template.md:521
🔗
Medium External URL 外部 URL
https://nodejs.org/api/packages.html
assets/package-json-template.md:522
🔗
Medium External URL 外部 URL
https://www.typescriptlang.org/docs/handbook/module-resolution.html
assets/package-json-template.md:523
🔗
Medium External URL 外部 URL
https://www.typescriptlang.org/docs/handbook/integrating-with-build-tools.html
references/integration-with-build-tools.md:13
🔗
Medium External URL 外部 URL
https://vitejs.dev/guide/
references/integration-with-build-tools.md:614
🔗
Medium External URL 外部 URL
https://webpack.js.org/concepts/
references/integration-with-build-tools.md:615
🔗
Medium External URL 外部 URL
https://esbuild.github.io/
references/integration-with-build-tools.md:616
🔗
Medium External URL 外部 URL
https://turbo.build/repo/docs
references/integration-with-build-tools.md:617
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Npm
references/package-management.md:13
🔗
Medium External URL 外部 URL
https://pnpm.io/
references/package-management.md:45
🔗
Medium External URL 外部 URL
https://semver.org/
references/package-management.md:96
🔗
Medium External URL 外部 URL
https://registry.company.com
references/package-management.md:214
🔗
Medium External URL 外部 URL
https://npm.company.com
references/package-management.md:217
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/APT_(software
references/package-management.md:285
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/DNF_(software
references/package-management.md:286
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Zypp
references/package-management.md:287
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Homebrew_(package_manager
references/package-management.md:288
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Pip_(package_manager
references/package-management.md:292
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Rust_(programming_language
references/package-management.md:293
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Apache_Maven
references/package-management.md:294
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Conda_(package_manager
references/package-management.md:295
🔗
Medium External URL 外部 URL
https://pdm-project.org/en/latest/
references/package-management.md:301
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Open_Container_Initiative
references/package-management.md:306
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Flatpak
references/package-management.md:307
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/Snap_(software
references/package-management.md:308
🔗
Medium External URL 外部 URL
https://en.wikipedia.org/wiki/AppImage
references/package-management.md:309
🔗
Medium External URL 外部 URL
https://flox.dev/blog/package-managers-and-package-management-a-guide-for-the-perplexed/
references/package-management.md:313
🔗
Medium External URL 外部 URL
https://hub.flox.dev/packages
references/package-management.md:315
🔗
Medium External URL 外部 URL
https://docs.docker.com/build/building/best-practices/
references/package-management.md:316
🔗
Medium External URL 外部 URL
https://bun.sh/docs/runtime/bunfig
scripts/bun-workflow.js:120
🔗
Medium External URL 外部 URL
https://registry.myorg.com/
scripts/bun-workflow.js:134
🔗
Medium External URL 外部 URL
https://bun.sh/install
scripts/bun-workflow.js:195
🔗
Medium External URL 外部 URL
https://bun.sh/docs
scripts/bun-workflow.md:5
🔗
Medium External URL 外部 URL
https://npm.mycompany.com/
scripts/bun-workflow.md:361
🔗
Medium External URL 外部 URL
https://www.typescriptlang.org/tsconfig/
scripts/health-check.md:6
🔗
Medium External URL 外部 URL
https://www.typescriptlang.org/docs/handbook/declaration-files/do-s-and-don-ts.html
scripts/health-check.md:7
🔗
Medium External URL 外部 URL
https://docs.npmjs.com/
scripts/npm-workflow.md:5
🔗
Medium External URL 外部 URL
https://get.pnpm.io/install.ps1
scripts/pnpm-workflow.md:48
🔗
Medium External URL 外部 URL
https://get.pnpm.io/install.sh
scripts/pnpm-workflow.md:51
🔗
Medium External URL 外部 URL
https://npm.company.com/
scripts/pnpm-workflow.md:308
🔗
Medium External URL 外部 URL
https://pnpm.io/cli/add
scripts/pnpm-workflow.md:692
🔗
Medium External URL 外部 URL
https://pnpm.io/workspaces
scripts/pnpm-workflow.md:693
🔗
Medium External URL 外部 URL
https://pnpm.io/benchmarks
scripts/pnpm-workflow.md:695
🔗
Medium External URL 外部 URL
https://yarnpkg.com/
scripts/yarn-workflow.md:5
🔗
Medium External URL 外部 URL
https://yarnpkg.com/getting-started/migration
scripts/yarn-workflow.md:827
🔗
Medium External URL 外部 URL
https://yarnpkg.com/features/pnp
scripts/yarn-workflow.md:829
🔗
Medium External URL 外部 URL
https://yarnpkg.com/features/workspaces
scripts/yarn-workflow.md:830

File Tree

13 files · 164.8 KB · 6923 lines
Markdown 10f · 5899L JavaScript 3f · 1024L
├─ 📁 assets
│ ├─ 📝 package-json-template.md Markdown 523L · 10.3 KB
│ └─ 📝 package-manager-comparison.md Markdown 289L · 8.6 KB
├─ 📁 references
│ ├─ 📝 integration-with-build-tools.md Markdown 617L · 10.3 KB
│ └─ 📝 package-management.md Markdown 316L · 8.5 KB
├─ 📁 scripts
│ ├─ 📜 bun-workflow.js JavaScript 383L · 13.4 KB
│ ├─ 📝 bun-workflow.md Markdown 682L · 13.4 KB
│ ├─ 📜 health-check.js JavaScript 313L · 12.9 KB
│ ├─ 📝 health-check.md Markdown 947L · 26.0 KB
│ ├─ 📜 npm-workflow.js JavaScript 328L · 12.4 KB
│ ├─ 📝 npm-workflow.md Markdown 692L · 13.9 KB
│ ├─ 📝 pnpm-workflow.md Markdown 695L · 11.6 KB
│ └─ 📝 yarn-workflow.md Markdown 830L · 13.6 KB
└─ 📝 SKILL.md Markdown 308L · 9.9 KB

Security Positives

✓ 无凭证访问或窃取行为
✓ 无数据外泄或C2通信
✓ 代码结构清晰,包含内建测试
✓ 无恶意混淆或Base64编码执行
✓ 依赖第三方安全工具进行审计和检查