Node Auto Debugger

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill appears purpose-aligned for scanning Node.js projects, but its build option can run the target project's npm build script, so use it only on projects you trust.

This looks like a normal local Node.js audit/debugging helper. Before installing or running it, review the complete script, avoid --build on untrusted repositories unless sandboxed, and do not commit the generated AUTO-DEBUG-REPORT.md if it contains sensitive findings.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI05: Unexpected Code Execution

What this means

Running the build check on an untrusted repository could execute that repository's build script on your machine.

Why it was flagged

The script can invoke the target project's npm build command. This is consistent with the documented build-verification feature, but npm scripts can execute arbitrary local commands if the project is untrusted.

Skill content

const result = spawnSync('npm', ['run', 'build'], { cwd: this.projectDir,

Recommendation

Use --build only for trusted projects, or run it in a sandbox after reviewing package.json scripts.

Low

#ASI06: Memory and Context Poisoning

What this means

The generated report may reveal where sensitive issues exist and could be accidentally committed or shared.

Why it was flagged

The skill writes a persistent local report that may include findings about hardcoded secrets or sensitive code locations. The visible artifacts do not show exfiltration or secret values, but the report should be treated as project-sensitive.

Skill content

Report saved to `<project>/AUTO-DEBUG-REPORT.md` ... Critical — will crash or leak secrets

Recommendation

Review AUTO-DEBUG-REPORT.md before sharing or committing it, especially for private projects.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You have less external context for who maintains the script or where to compare it against an upstream version.

Why it was flagged

The registry metadata does not identify an upstream source or homepage for the included script. This is not malicious by itself, but it limits provenance verification.

Skill content

Source: unknown; Homepage: none

Recommendation

Inspect the full script before use and prefer a trusted or verifiable source when available.