claude-code-framework Security Report — Low Risk | ClawSafe

18 /100

claude-code-framework

Claude Code Framework - A defensive execution framework providing permission checks, context budget monitoring, and lifecycle hooks for AI agents

A defensive security framework providing permission checks, context budget management, and lifecycle hooks. No malicious behavior detected; code matches documented functionality.

Skill Nameclaude-code-framework

Duration36.5s

Enginepi

✓

Safe to install

This skill is safe to use. Monitor the 'leaked source code' branding claim for accuracy. No changes needed.

Findings 2 items

Severity	Finding	Location
Low	Questionable source attribution Doc Mismatch SKILL.md claims this framework was extracted from 'Claude Code 泄露源码' (leaked Claude Code source code). While the code itself is legitimate, the provenance claim cannot be verified. `基于 Claude Code v2.1.88 泄露源码分析，2026-04-03` → Verify the source attribution or remove the 'leaked source' claim to avoid misrepresentation	`SKILL.md:1`
Info	Config file flagged as sensitive Sensitive Access config.json was flagged as sensitive by pre-scan but contains only framework configuration (rules, thresholds, hook settings) with no actual secrets or credentials. `Configuration contains permission rules and thresholds, no credentials` → No action needed - this is a false positive from the sensitive file heuristic	`config.json:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in code
Network	`NONE`	`NONE`	—	No network calls in code
Shell	`NONE`	`NONE`	—	No subprocess/exec calls
Environment	`NONE`	`NONE`	—	No os.environ access
Skill Invoke	`NONE`	`NONE`	—	No skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database operations

File Tree

6 files · 32.0 KB · 1269 lines

TypeScript 4f · 926L Markdown 1f · 263L JSON 1f · 80L

├─ 🔑 config.json ⚠ JSON 80L · 2.3 KB

├─ 📜 context-budget.ts TypeScript 204L · 5.3 KB

├─ 📜 handler.ts TypeScript 281L · 8.0 KB

├─ 📜 hook-manager.ts TypeScript 303L · 7.0 KB

├─ 📜 risk-classifier.ts TypeScript 138L · 3.8 KB

└─ 📝 SKILL.md Markdown 263L · 5.7 KB

Security Positives

✓ No credential harvesting or environment variable enumeration

✓ No network calls or external data exfiltration

✓ No shell execution (subprocess, exec, eval)

✓ No obfuscation techniques (base64, atob, eval patterns)

✓ No sensitive file access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ Defensive security controls properly implemented (permission checks, risk classification, hook system)

✓ Code is clean and follows TypeScript best practices

Scan Report

Findings 2 items

File Tree

Security Positives