ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

魔盒node服务开发技能包

v1.0.0

Node.js + TypeScript 项目开发规范和最佳实践指南。用于指导 MagicBox Node 服务的开发、代码风格、目录结构、配置管理、容器部署等方面的规范。

0· 384·0 current·0 all-time
byJinChunCheng@jinchuncheng123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an instruction-only guideline for MagicBox Node service development and deployment. The files (code-style, directory-structure, config-management, container-deployment) are consistent with the stated purpose; there are no unexpected required binaries, env vars, or credentials.
Instruction Scope
Instructions stay within the expected scope (project structure, config loading from .env/.env.develop or /etc/magicbox-node/env.config.json, Docker/Kubernetes deployment). They reference reading /etc/magicbox-node/env.config.json and local .env files (expected). However, some runtime recommendations broaden runtime attack surface (starting sshd and crond inside container, setting world-writable permissions) and suggest copying plaintext credentials into ConfigMap — these are scope-consistent but security-risky deployment choices that are not necessary for the stated purpose.
Install Mechanism
No install specification and no code files to run; instruction-only means nothing is downloaded or written by the skill itself — low install risk.
Credentials
The skill declares no required environment variables or credentials (proportionate). The guidance does, however, show examples that store DB credentials and secrets in plaintext (ConfigMap/env config), uses CORS_ORIGIN="*", and sets npm registry to an HTTP endpoint — these practices expose sensitive data and are not recommended for production.
Persistence & Privilege
always:false and no install actions; the skill does not request persistent presence or modify other skills or system-wide agent settings. Normal autonomous invocation is allowed (platform default).
Assessment
This skill is coherent with its description and doesn't request credentials or install software, but review and harden the deployment recommendations before using them in production. Key items to address: avoid running sshd and cron inside containers (prefer sidecars or host tooling), remove or restrict chmod 777 usage (use least privilege), do not store DB passwords in ConfigMaps or plaintext files — use Kubernetes Secrets or a vault, avoid CORS_ORIGIN set to '*' in production, change the npm registry line to a secure HTTPS registry you trust, and tighten filesystem and container startup practices. If you plan to copy these templates into your CI/CD, scan them for secrets and replace ConfigMap-based passwords with secure secret management. If you want, I can produce a hardened version of the Dockerfile, Kubernetes manifests, and config-loading code with secure defaults.

Like a lobster shell, security has layers — review code before you run it.

latestvk972w9yw3y7z9rp1jfg3jnjr9181wvj5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments