ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Json Repair Kit

Repair malformed JSON files by normalizing them through Node.js evaluation. Use this to fix trailing commas, single quotes, unquoted keys, or other common sy...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 545 · 0 current installs · 0 all-time installs
byWANGJUNJIE@wanng-ide
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: the script reads .json files (single file or recursive directory), attempts JSON.parse, and falls back to evaluating the content as JavaScript to re-serialize valid JSON. File IO and backup behavior are consistent with the stated purpose.
!
Instruction Scope
SKILL.md and index.js instruct the agent to parse malformed JSON by evaluating the file content in a vm context and assert this is safe. In practice, vm.runInContext/vm.Script do not guarantee security against sandbox escapes; evaluating arbitrary file contents can lead to arbitrary JS execution with access to the host environment via known escape patterns (e.g., constructor.constructor / Function() usage). The instructions do not warn users to only run on trusted files or describe the risk.
Install Mechanism
No install spec; tool is instruction/code-only (index.js, package.json, test script). Nothing is downloaded or written during installation — low install risk.
Credentials
No credentials, env vars, or external endpoints are requested. The script reads and writes local files (including recursive directory scan) which is appropriate for a file-repair utility.
Persistence & Privilege
Skill is not always-enabled and does not request persistent platform privileges. It modifies only files the user points it at (creates .bak files by default) and exports functions for testing; it does not change other skills or global agent config.
What to consider before installing
This tool will execute the contents of the files you give it inside Node's VM to 'repair' loose JSON. That is functionally powerful but not a secure sandbox: a maliciously crafted file can execute JavaScript that escapes the VM and touches your filesystem or process. Only run this on files you trust. If you need to process untrusted input, consider safer alternatives: use tolerant parsing libraries (json5, strip-json-comments + JSON.parse, jsonc-parser) that don't evaluate code, or run the script inside an isolated container/VM with limited permissions. If you keep this tool, at minimum: (1) audit files before repair, (2) keep backups (.bak is created by default), and (3) consider replacing the eval-based fallback with a proper parser or an AST-based approach that doesn't run code.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bamz6p2am0b59ey2bhhfbzd817wf5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

JSON Repair Kit

A utility to repair broken or "loose" JSON files (like those with trailing commas, single quotes, or unquoted keys) by parsing them as JavaScript objects and re-serializing as valid JSON.

Usage

# Repair a file in place (creates .bak backup)
node skills/json-repair-kit/index.js --file path/to/broken.json

# Repair and save to a new file
node skills/json-repair-kit/index.js --file broken.json --out fixed.json

# Scan directory and repair all .json files (recursive)
node skills/json-repair-kit/index.js --dir config/ --recursive

Supported Repairs

  • Trailing Commas: {"a": 1,} -> {"a": 1}
  • Single Quotes: {'a': 'b'} -> {"a": "b"}
  • Unquoted Keys: {key: "value"} -> {"key": "value"}
  • Comments: Removes JS-style comments // (if parser supports it, standard Node eval may strip them if they are line comments outside of strings).
  • Hex/Octal Numbers: 0xFF -> 255

Safety

  • Backup: Always creates a .bak file before overwriting (unless --no-backup is used, but default is safe).
  • Validation: Verifies the repaired content is valid JSON before writing.
  • Eval Sandbox: Uses vm.runInNewContext to parse, ensuring no access to global scope or process. It is safer than eval().

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…