ClawHub

Sbom Explainer

v1.0.0

把依赖清单或 SBOM 翻译成非技术可读的风险说明,按影响面排序。;use for sbom, dependencies, risk workflows;do not use for 伪造 CVE 状态, 替代专业漏洞扫描.

0· 94·0 current·0 all-time
byvx:17605205782@52yuanchangxing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files and script. The bundle contains templates, a spec.json, examples, and a Python script that formats input SBOM/dependency material into the indicated structured brief. Required binary (python3) is appropriate and minimal.
Instruction Scope
SKILL.md confines the skill to explanation/briefing (not scanning or making changes) and instructs using scripts/resources. The run.py implementation performs read-only analysis and templating. However, run.py accepts directories and will recursively read many text file types under whatever path is given, so the agent or user must avoid supplying sensitive system directories as input.
Install Mechanism
No install spec is present (instruction-only skill with a local script). This is low risk: nothing is downloaded or written to system locations by an installer.
Credentials
No environment variables, credentials, or config paths are required. The script performs local file reads only and does not contact external endpoints or require secrets.
Persistence & Privilege
Skill does not request permanent presence (always:false). It does not modify other skills or global agent settings. The script can write an output file if asked, but otherwise operates read-only and supports a dry-run mode.
Assessment
This skill appears to do what it says: produce human-friendly, structured SBOM briefings using only local inputs. Before running: (1) inspect scripts/run.py yourself (it is small and readable) to confirm behavior; (2) only pass intended SBOM files or project directories — do not point the script at system roots or directories containing secrets; (3) run it in an isolated environment (workdir or container) if you are unsure; (4) note the skill is an explanation layer, not a replacement for vulnerability scanning — continue to use dedicated scanners for CVE status and remediation. If you need stronger assurance, verify there are no network calls in the execution environment and run the smoke-test included in tests/smoke-test.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk979pn9dgsz0b7dmp4kx73p0q18374yj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧾 Clawdis
OSmacOS · Linux · Windows
Binspython3

Comments