ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Json Modifier

v1.0.0

Safely apply structured JSON patches (RFC 6902) to files. Use this skill when you need to update configuration files, package.json, or memory JSONs without r...

0· 665·0 current·0 all-time
byWANGJUNJIE@wanng-ide
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the included code: index.js implements a CLI that reads a JSON file and a RFC 6902 patch and writes the result. Minor documentation mismatch: SKILL.md examples reference 'node skills/json-modifier/index.js' while the repo provides index.js at the package root; this is likely a path/documentation inconsistency rather than malicious.
Instruction Scope
SKILL.md only documents CLI usage for applying patches. The code only reads the specified target file/patch file, validates and applies the patch, and performs an atomic write. It does not read other files, environment variables, or network endpoints.
Install Mechanism
No install spec is provided; this is instruction-plus-code. The only dependency is fast-json-patch from the public npm registry (package-lock.json points to registry.npmjs.org). There are no arbitrary downloads, extract steps, or unusual install actions.
Credentials
No environment variables, credentials, or config paths are requested or used. The skill's requested privileges are minimal and aligned with editing local files.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It does not modify other skills or global agent config.
Assessment
This skill appears to be what it claims: a safe JSON-patch CLI. Before installing or running it: 1) Verify the file path you or the agent will call (SKILL.md path examples differ from the package layout) so the agent executes the correct script. 2) Run the included test locally (npm install then npm test) in a safe directory to confirm behavior. 3) Be cautious about which files you allow the agent to modify—the tool will overwrite files (atomic rename is used, but data loss can occur if patches are incorrect). 4) Review/lock dependencies if you require stricter supply-chain controls (it uses fast-json-patch from npm). 5) Note tests use child_process.execSync to invoke the CLI locally—that's normal for testing but confirms the package executes local commands.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dgzj2rqemw082r1hrcwrvk58179jn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments