ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jar冲突检测器

v1.0.0

This skill should be used when the user needs to detect JAR package conflicts, version inconsistencies, or known incompatible dependency pairs in a Spring Bo...

0· 47·0 current·0 all-time
by@yssnb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (JAR conflict detection for Maven/Gradle Spring Boot projects) matches the provided code and instructions: the script parses pom.xml, can invoke mvn dependency:tree or gradle dependencies, and uses a local references file for known incompatibilities and fixes.
!
Instruction Scope
Runtime instructions explicitly tell the agent to run the bundled Python script which in turn will invoke mvn/gradle in the user's project directory. Running mvn/gradle (even for dependency queries) can execute project build logic, init scripts, plugins, and may download remote artifacts — this is expected for the task but is a notable execution and network risk if run against untrusted code. Also SKILL.md suggests UI actions like 'preview_url' or 'open_result_view' which are not implemented in the script (minor mismatch). The script does provide a static POM parsing fallback, which reduces risk if chosen.
Install Mechanism
No install spec — instruction-only plus a bundled Python script that uses only the Python standard library. Nothing is downloaded from external URLs by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The code runs mvn/gradle from the provided project directory but does not attempt to read unrelated system files or environment secrets.
Persistence & Privilege
Skill is not always-enabled, does not request elevated or persistent platform privileges, and does not modify other skills or agent-wide configuration. Autonomous invocation remains possible (platform default) but is not combined with additional privileges.
What to consider before installing
This skill appears to do what it claims, but before running it consider: 1) Running mvn/gradle in a project can execute build scripts, plugins, init scripts, and may run arbitrary code from the repository — only run it on trusted projects or inside an isolated sandbox/container and a non-privileged account. 2) Build tools may download artifacts from the network; if you need a zero-network audit, prefer the static POM parsing fallback. 3) Inspect scripts/detect_conflicts.py yourself (it is included) to confirm there are no unexpected behaviors. 4) If you are automating in CI, use the script's exit codes and JSON output, but ensure the CI runner environment is appropriately sandboxed. 5) The SKILL.md mentions preview functions not implemented by the script — expect to open report files manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dq1d1k8jeddzs475hkhccnh84dndm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments