魔盒node服务开发技能包
PassAudited by ClawScan on May 1, 2026.
Overview
This is a documentation-only Node.js/TypeScript development guide with no install-time code or required credentials, but its deployment examples should be reviewed before copying into production.
Safe to install as a documentation-style development guide, but do not blindly apply the deployment snippets. Review npm registry settings, Kubernetes targets, credential storage, container permissions, and background services before using the generated templates in real environments.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied as-is, builds may depend on a specific package registry and could be exposed to package-source or transport risks.
The deployment template installs npm packages and points npm at a nonstandard HTTP registry. This is part of the documented build workflow, but users should verify the registry and dependency integrity.
npm config set registry=http://registry.m.jd.com ... RUN chmod 777 /home/export/App/ && npm install
Use a trusted HTTPS registry where possible, commit and honor a lockfile, prefer npm ci for reproducible builds, and verify this registry is intended for your environment.
Running these commands against the wrong registry, cluster, or namespace could publish images or change running infrastructure.
The guide documents registry push and Kubernetes apply commands. These are expected for a deployment guide, but they are high-impact operations if an agent is asked to execute them.
docker push magicbox-node:latest ... kubectl apply -f kubernetes/deployment.yaml
Require explicit confirmation of the target registry, Kubernetes context, namespace, and manifest before allowing an agent to run deployment commands.
Copying the template with real database passwords in a ConfigMap could expose credentials more broadly than intended.
The Kubernetes ConfigMap example includes database credential fields. They appear to be placeholders and are purpose-aligned for a service configuration guide, but real credentials require stronger handling.
"DB_USERNAME": "username", "DB_PASSWORD": "password"
Use Kubernetes Secrets or a dedicated secret manager for real database passwords, avoid committing secret values, and keep production config files tightly permissioned.
A generated container may run more background services than necessary and have overly permissive filesystem permissions.
The container template enables extra long-running services and world-writable paths. This is disclosed template content, not hidden behavior by the skill, but it expands runtime surface area.
RUN mkdir -p /export/Data && chmod 777 /export/Data ... ENTRYPOINT /usr/sbin/sshd && /usr/sbin/crond && ... /home/export/App/start.sh
Remove sshd/crond unless explicitly required, avoid chmod 777, run containers as a least-privilege user, and document any required background services.