Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dependency Tracker
v1.0.1每周依赖检查。检查 Node.js、npm 版本和全局包是否有可用更新。触发时机:cron 定时任务或手动调用。
⭐ 0· 150·1 current·1 all-time
by@axelhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (weekly checks of Node.js/npm and global packages) aligns with the listed commands in references/spec.md (node -v, npm -v, npm list -g, npm outdated). However the SKILL.md requires delivering the report to a Feishu channel/ID even though the skill declares no credentials, webhook, or messaging dependency — that delivery requirement is out of band with the declared requirements.
Instruction Scope
Instructions are concrete and scoped to running local shell commands and writing a Markdown report under data/exec-logs/*. The skill reads the included references/spec.md (present). The only out-of-scope element is the unspecified report delivery step: it mandates sending to Feishu but provides no delivery method, tokens, or API endpoints. The skill also requires listing globally installed packages (npm list -g), which legitimately reveals installed package names/versions and could leak environment details.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written or executed by an install step. That is proportionate to the described functionality.
Credentials
The SKILL.md explicitly requires sending messages to Feishu (channel + target ID) but the skill metadata lists no required environment variables or credentials. Either the skill assumes the agent already has Feishu integration (possible) or it silently expects credentials to be supplied elsewhere. This mismatch is a security and operational concern. Additionally, the skill reads/writes local files and lists global npm packages — those actions can expose system package inventory; users should confirm that is acceptable.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or elevated platform privileges. It writes report files under data/exec-logs/* (its own output path) which is normal for a reporting skill.
What to consider before installing
This skill otherwise looks coherent for a dependency-checker, but it requires sending reports to Feishu while declaring no credentials or webhook. Before installing: 1) Confirm how messages will be sent — does your agent already have Feishu integration or will you need to provide a FEISHU_WEBHOOK / FEISHU_TOKEN? The skill should explicitly declare required env vars. 2) Verify you are comfortable with the skill running shell commands (node -v, npm -v, npm list -g, npm outdated) on the host and writing files to data/exec-logs; listing global packages can reveal installed packages. 3) Ask the publisher to clarify the exact delivery mechanism and to add explicit environment variable requirements and error-handling behavior. 4) If you want to limit risk, run the skill in a restricted environment (container or dedicated CI runner) and do not enable it for autonomous runs until you confirm the messaging credentials and delivery implementation. If the agent will use shared Feishu credentials, consider creating a dedicated Feishu webhook/account with limited scope.Like a lobster shell, security has layers — review code before you run it.
latestvk971t2btm1hyb3ybmc38p93ef9835349
License
MIT-0
Free to use, modify, and redistribute. No attribution required.