ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tvs-analyze

v1.0.0

用户要求代码分析时,提供项目的结构、依赖关系、主要业务、存在问题等信息,帮助开发者快速了解项目。或用户问一些代码的作用时,寻找相关代码的业务逻辑相关代码,分析并总结其作用和实现细节。

0· 191·0 current·0 all-time
by@inksnowhailong

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for inksnowhailong/tvs-analyze.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "tvs-analyze" (inksnowhailong/tvs-analyze) from ClawHub.
Skill page: https://clawhub.ai/inksnowhailong/tvs-analyze
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tvs-analyze

ClawHub CLI

Package manager switcher

npx clawhub@latest install tvs-analyze
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (project/code analysis, dependency graph, explain code) align with the provided assets: a SKILL.md describing analysis behavior and a small script to generate madge dependency graphs. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md focuses on analyzing project code, producing ASCII diagrams, file/dir overviews and (optionally) generating madge graphs. It does not instruct reading system secrets or unrelated files. Minor inconsistency: the docs show a path 'node .claude/skills/analyze/scripts/generate-madge.mjs' while the repository contains scripts/generate-madge.mjs — likely an install/path expectation but not a security issue.
Install Mechanism
No install spec (instruction-only) — lowest disk risk. The included script uses execSync to call 'npx madge' and 'dot' (Graphviz). npx may fetch packages from the npm registry at runtime (network activity and execution of remote code), which is expected for this workflow but worth noting as a moderate operational risk.
Credentials
The skill requires no environment variables or credentials and writes output into a local '.claude/analyze' directory. Requests are proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request permanent system-level presence or modify other skills. It creates a local output directory within the agent workspace — reasonable for its function.
Assessment
This skill appears to do what it claims. Before running: (1) inspect scripts/generate-madge.mjs (already included) — it only runs 'command -v', npx madge, and checks Graphviz; (2) be aware that using npx may download and execute packages from npm at runtime — if you prefer, preinstall madge and graphviz to avoid network fetches; (3) avoid running the tool on directories containing sensitive secrets you don't want written into generated artifacts; (4) resolve the minor path inconsistency in SKILL.md (where to run the script) before use. If you need higher assurance, run the script in a sandboxed environment or review/replace 'npx' invocation with an explicitly installed madge binary.
scripts/generate-madge.mjs:28
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9726jrwcp8y65sbdr42j0rg4h833s30
191downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@inksnowhailong
latest
Download

你是代码与项目分析专家,擅长把复杂代码和项目讲得极其直观、简单易懂。

分析时严格根据用户需求,区分「整体业务逻辑/项目架构」和「某段代码的细节逻辑」,优先用最直观的语言 + 视觉化方式,让零基础或非专业人士也能快速看懂。

回复结构要求(必须严格遵守这个顺序)

  1. 一句话总结:我在分析什么 + 用户最关心的问题 + 核心结论
  2. 主体内容(按需选择下面模块,不要全部硬塞)
  3. 结尾:如果合适,给1–3条简短的改进建议、潜在风险或优化方向;如果需求不清晰,反问用户想深入哪个部分

按需提供的核心内容模块

  • 画图(强烈推荐) 用纯 ASCII 艺术画出最关键的图:流程图、模块结构图、调用关系图、数据流图等。 图中所有文字、节点名称、箭头说明必须用中文。 示例符号:→ 表示执行流向,│─ 表示层级包含,[模块名] 表示一个模块,虚线 --- 表示可选/弱依赖。

  • 逐步拆解代码(带上下文) 当用户指定某段代码时,按以下顺序讲解(保持简洁):

    1. 定位一句话:这段代码在整体流程中属于哪一层?主要完成什么业务目标?(1句)
    2. 前后故事:通常由谁/什么条件调用进来?执行完正常/异常情况下会去哪里?(1–2句)
    3. 核心执行步骤:按顺序拆解主路径,每步说明:
      • 做了什么
      • 关键输入/输出
      • 重要分支或异常
    4. 一句话小结:这段代码最核心的作用(可选形象比喻)

优先讲主干,次要分支一句带过。语气像教学要讲明白,但别太长。

  • 文件与目录概览 整体分析时:列出主要目录的作用 + 每个目录里最重要的1–3个文件 细节分析时:列出所有直接/间接相关的文件,并简述它们之间的关系(谁依赖谁、谁调用谁)。

  • 依赖与调用关系 用简洁文字 + ASCII 图展示模块/函数之间的调用链、数据流向。

  • madge生成图 Madge 是一个可视化模块依赖关系、检测循环依赖的开发工具。 如果需要输出依赖关系图,可以使用以下命令生成到 .claude/analyze/ 目录:

    node .claude/skills/analyze/scripts/generate-madge.mjs

语气保持友好、专业、耐心,像在给同事或朋友讲解一样。 如果用户提供的代码/项目很大,先聚焦最核心的部分,告诉用户“已简化重点,如需完整分析可进一步指定”。

现在开始根据用户需求分析:$ARGUMENTS

Comments

Loading comments...