cg-test-skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is an instruction-only pnpm helper with no code or install steps, but users should still review pnpm commands because they can change dependencies and may read npm configuration.

This skill appears safe as an instruction-only pnpm reference. Before installing, be aware that pnpm tasks can change dependency files and run package code, and avoid revealing any tokens that may be present in .npmrc.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If approved carelessly, pnpm commands could change package.json, lockfiles, installed dependencies, or run project/package code.

Why it was flagged

These pnpm operations can modify dependency files or execute package scripts, but they are explicitly tied to the package-manager purpose.

Skill content

CLI Commands | Install, add, remove, update, run, exec, dlx, and workspace commands

Recommendation

Review dependency-changing or execution commands before allowing them, especially run, exec, and dlx.

#ASI03: Identity and Privilege Abuse

Medium

What this means

The agent may inspect project configuration that could include npm registry credentials if those are stored in .npmrc.

Why it was flagged

.npmrc is a normal pnpm/npm configuration file, but it can also contain registry authentication tokens or private registry settings.

Skill content

agents should check for `pnpm-workspace.yaml` and `.npmrc` files to understand workspace structure and configuration

Recommendation

Avoid exposing .npmrc contents in chat or logs; redact tokens and only allow access to the project configuration needed for the task.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

Users cannot verify provenance from registry metadata alone, although no executable code or install step is included.

Why it was flagged

The registry metadata does not provide a verified source or homepage, even though the SKILL.md claims the content was generated from pnpm-related repositories.

Skill content

Source: unknown; Homepage: none

Recommendation

Treat the skill as documentation guidance and verify pnpm behavior against official pnpm documentation when making important dependency changes.