Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
一键生成项目
v1.0.1全自动项目生成和启动器 - 生成完整的Spring Boot + Vue3项目,包含前后端完整代码(RBAC+业务实体)、数据库初始化、编译启动、自动浏览器打开。支持完整CRUD(列表、查询、新增、修改、删除、查看)、多条件查询、状态下拉枚举、Redis配置、Swagger文档,使用JSON配置文件自定义参数。
⭐ 3· 172·0 current·0 all-time
by小明@smallest-ming
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (one‑click project generator) matches the included artifacts: two Python 'starter' scripts that generate code, run builds, initialize a database, start services, and open a browser. The tools the scripts check for (Java, Maven, Node, NPM, optional Docker/MySQL client) are consistent with building and running a Spring Boot + Vue project.
Instruction Scope
SKILL.md and the scripts instruct the agent to read a JSON config containing database and Redis credentials, generate code, write files into a project directory, execute SQL against the configured database, run build commands (mvn, npm), launch services, and open the browser. Those actions are coherent with the purpose but high‑risk: executing arbitrary SQL on any DB you point at and running system commands can be destructive. The instructions do not include safeguards preventing use against production databases; the agent will run subprocess commands and create/modify files on disk.
Install Mechanism
There is no install spec (instruction-only skill) — the scripts run with the system Python interpreter. The code depends on Python packages (pymysql) and system tools (java/mvn/node/npm). Dependencies may be installed at runtime (the script returns an ImportError message suggesting 'pip install pymysql') but the skill does not manage package installation itself.
Credentials
The skill requests no environment variables but requires a config.json with database and optional Redis host/user/password. Those credentials are necessary for its advertised DB initialization functionality, but they are sensitive. No unrelated credentials or system-wide tokens are requested.
Persistence & Privilege
The skill is not 'always' enabled and does not request persistent platform privileges. It writes project files into a target directory and launches processes, but it does not modify other skills or global agent configuration.
Assessment
This skill appears internally consistent with its description, but it performs high‑impact actions: it will write project files, run build commands, and — importantly — connect to the database you provide and execute SQL scripts. Before running it: 1) Do NOT point it at a production database or critical Redis instance. Use a disposable/local DB or container. 2) Inspect the generated SQL (db init scripts) and the Python scripts to confirm they don't DROP or ALTER unintended schemas. 3) Run in an isolated environment (VM/container) so builds and services can't affect your host. 4) Be prepared to install Python deps (pymysql) in a virtualenv. 5) Backup any real data if you must test against an existing DB. 6) If you are uncomfortable providing DB/Redis credentials in a JSON file, do not run the skill. If you want a deeper review, share the generated SQL files (db/init.sql) and the full Python scripts so I can point out specific statements or subprocess calls to watch for.Like a lobster shell, security has layers — review code before you run it.
latestvk9759249a2jm6wvcs2g7g2vgfn839g31
License
MIT-0
Free to use, modify, and redistribute. No attribution required.