ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tvs-analyze

v1.0.0

用户要求代码分析时,提供项目的结构、依赖关系、主要业务、存在问题等信息,帮助开发者快速了解项目。或用户问一些代码的作用时,寻找相关代码的业务逻辑相关代码,分析并总结其作用和实现细节。

0· 97·0 current·0 all-time
by@inksnowhailong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (project/code analysis, dependency graph, explain code) align with the provided assets: a SKILL.md describing analysis behavior and a small script to generate madge dependency graphs. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md focuses on analyzing project code, producing ASCII diagrams, file/dir overviews and (optionally) generating madge graphs. It does not instruct reading system secrets or unrelated files. Minor inconsistency: the docs show a path 'node .claude/skills/analyze/scripts/generate-madge.mjs' while the repository contains scripts/generate-madge.mjs — likely an install/path expectation but not a security issue.
Install Mechanism
No install spec (instruction-only) — lowest disk risk. The included script uses execSync to call 'npx madge' and 'dot' (Graphviz). npx may fetch packages from the npm registry at runtime (network activity and execution of remote code), which is expected for this workflow but worth noting as a moderate operational risk.
Credentials
The skill requires no environment variables or credentials and writes output into a local '.claude/analyze' directory. Requests are proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request permanent system-level presence or modify other skills. It creates a local output directory within the agent workspace — reasonable for its function.
Assessment
This skill appears to do what it claims. Before running: (1) inspect scripts/generate-madge.mjs (already included) — it only runs 'command -v', npx madge, and checks Graphviz; (2) be aware that using npx may download and execute packages from npm at runtime — if you prefer, preinstall madge and graphviz to avoid network fetches; (3) avoid running the tool on directories containing sensitive secrets you don't want written into generated artifacts; (4) resolve the minor path inconsistency in SKILL.md (where to run the script) before use. If you need higher assurance, run the script in a sandboxed environment or review/replace 'npx' invocation with an explicitly installed madge binary.
scripts/generate-madge.mjs:28
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9726jrwcp8y65sbdr42j0rg4h833s30

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments