GitHub Analyzer
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less external context for validating the publisher or update history.
The provided metadata does not identify a source repository or homepage, which makes provenance harder to verify even though the bundled files are visible for review.
Source: unknown Homepage: none
Review the included script before use and prefer a verified upstream source if one becomes available.
If a user or agent blindly runs the generated deployment commands, untrusted repository code or dependencies could execute locally.
The script includes deployment commands such as docker-compose, npm, pip, go, cargo, and make in generated reports. These are recommendations and are not executed by the script, but following them could run code from the analyzed project.
DEPLOY_ADVICE="推荐使用 Docker 部署\n\`\`\`bash\ndocker-compose up -d\n\`\`\`"
Treat deployment commands as suggestions only; inspect the target repository and dependency files before running them.
A generated report may preserve untrusted repository text that should not be treated as authoritative instructions.
The script fetches repository README content and saves the first 50 lines into a persistent local Markdown report. That content is controlled by the analyzed repository and could contain misleading instructions or prompt-injection text if later read by an agent.
README_FIRST_LINES=$(echo "$README_CONTENT" | head -50)
When reviewing reports, treat README excerpts as untrusted project content and do not let them override user intent or security decisions.