m
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could delete files, overwrite destinations, or move data to the wrong place.
The skill documents shell commands that can permanently remove or overwrite local data. The comment advises confirmation, and the behavior fits the move/migration purpose, but it is still high-impact if run incorrectly.
rsync -avh source/ /mnt/other_disk/backup/ ... rm -r source/ # 确认后再删
Confirm source and destination paths before running commands, prefer interactive or dry-run modes where available, and keep backups before destructive moves.
Using these commands may change the whole system or access privileged databases, not just files in the current project.
The skill includes examples requiring elevated OS privileges or database administrator credentials. These are expected for package and data migration tasks, but they cross important permission boundaries.
sudo apt purge nginx ... sudo apt upgrade ... mysqldump -u root -p db > backup.sql
Use least-privilege accounts, require explicit user confirmation before sudo or root database operations, and verify the exact package, service, or database target.
A service could continue running or start on boot after the immediate task is finished.
The skill documents commands that can make services start automatically. This is disclosed under service management, but it creates persistent system behavior.
sudo systemctl enable nginx # 开机自启 ... Set-Service -Name "Spooler" -StartupType Automatic
Only enable startup behavior when the user explicitly asks for it, and document how to disable or roll back the service change.