ClawHub

Java Maven Secondary Analysis

v1.0.0

Analyze a Java Maven project delivered as a ZIP archive or a GitLab repository URL for secondary-development scope, class counts, module distribution, produc...

0· 37·0 current·0 all-time
by刘岗强@mrliugangqiang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md claims support for ZIP archives and GitLab repository URLs, but the bundled script only consumes a prepared local workspace described by a prepare JSON. The SKILL.md does mention using an external helper ('java-maven-common') to normalize inputs, so the design is coherent but relies on that external preparer which is not included or declared as an explicit dependency in registry metadata.
Instruction Scope
Runtime instructions and the script are limited to local filesystem analysis of declared project files (pom.xml, src/, scripts, SQL, CI, etc.), extract simple keywords, count Java files, and produce a markdown report. There are no instructions to read unrelated system files, export data to external endpoints, or access secrets.
Install Mechanism
No install spec is provided (instruction-only plus a small included Python script). Nothing is downloaded or executed from remote URLs and the script is readable and small.
Credentials
The skill itself does not request environment variables or credentials. However, SKILL.md references accepting GitLab URLs with 'user-authorized SSH access' and the external 'java-maven-common' preparer — those steps (outside this skill) may require SSH keys or tokens. Users should verify the preparer before granting repository access.
Persistence & Privilege
The skill does not request permanent presence (always is false), does not modify other skills or global agent settings, and writes only local report files under the provided report path (suggested 'business/').
Assessment
This skill appears to only run a local static scan and generate a markdown report; it does not exfiltrate data or request credentials itself. Before installing or invoking it, check the following: (1) the external preparer referenced ('java-maven-common') is trustworthy because preparing ZIPs or cloning GitLab URLs may require SSH keys or tokens; (2) confirm you are comfortable the agent/environment that runs the skill has appropriate access to the repository (avoid granting broad SSH keys to untrusted code); (3) note reports are written to disk (suggested 'business/' directory) — verify workspace permissions and storage location; (4) if you need end-to-end behavior (feed a raw GitLab URL), inspect or provide the preparer implementation to ensure no unexpected network/exfiltration occurs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dxm7q39a2vthe58tsk40kex84vvte

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments