ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Package Version Tracker

查询 npm 和 PyPI 包的版本信息、历史发布及依赖,支持版本比较和批量查询,响应快速无须 API key。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 27 · 1 current installs · 1 all-time installs
by@SxLiuYu
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the included code: the Python script queries public npm and PyPI JSON endpoints and provides version info and a simple version-compare. However the SKILL.md/_meta.json claim support for batch queries and dependency details; the script does not implement batch processing or extract dependency lists as the docs imply.
Instruction Scope
SKILL.md instructs use of public registry APIs and lists rate limits and batch limits. The runtime instructions do not ask for any files, credentials, or unexpected endpoints. But there's a scope mismatch: SKILL.md promises dependency information and multi-package batch queries, while the script only handles single-package queries and returns limited fields.
Install Mechanism
No install spec, no downloads, and one small Python script packaged with the skill. No third-party installers or remote archives are used — low install risk.
Credentials
No environment variables, credentials, or config paths are requested. _meta.json lists 'network' permission which is appropriate for querying public registries.
Persistence & Privilege
Skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or system configuration.
What to consider before installing
This skill appears to perform the described public-registry lookups and does not request secrets or local file access, so it is low-risk in terms of credential exfiltration. However, the documentation overstates features (mentions batch queries and dependency info) that the included script doesn't fully provide — that inconsistency could be sloppy engineering or indicate an incomplete/untested skill. Before installing: (1) review the script if you need batch queries or dependency details (it currently handles single-package queries only), (2) be aware it requires outbound network access to npmjs.org and pypi.org, and (3) if you require the advertised features, ask the author for an updated implementation or patch the script yourself. If you need a security-strong recommendation, treat this as untrusted code until you validate it works as advertised.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97f2pmr824h2ngy0nqx4kea3x8305bc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Package Version Tracker

快速查询 npm/pypi 包版本信息,追踪最新版本和历史版本。

功能

  • npm 包版本查询:查询 npm 包的最新版本、发布时间、所有版本列表
  • pypi 包版本查询:查询 PyPI 包的最新版本、发布历史
  • 版本比较:比较两个版本号大小
  • 多包批量查询:一次查询多个包

触发词

  • "查一下 npm 包版本"
  • "pypi 版本"
  • "package version"
  • "包版本查询"
  • "npm latest"
  • "pip show"

使用方法

命令格式

/version npm <package_name>
/version pypi <package_name>
/version compare <version1> <version2>

示例

/version npm react
/version pypi pandas
/version compare 2.0.0 1.9.0

输出格式

返回包的详细信息:

  • 包名
  • 最新版本
  • 发布日期
  • 版本数量
  • 依赖信息
  • 历史版本列表(最近5个)

限制

  • 无需 API key,直接使用公共 registry API
  • 速率限制:每秒最多 5 次请求
  • 批量查询最多 10 个包

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…