Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
uniapp项目分析器 (脚本版)
v1.0.0脚本版 (PowerShell) - 精确统计离线分析,依赖 skill-seekers
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts and configs: the tool inspects uni-app/Vue files, computes code-quality metrics and generates reports. Requiring 'skill-seekers' (the external analysis engine) is consistent with the stated design. However there are incoherences in the shipped implementation: SKILL.md describes merging base + type configs and parsing package.json for Vue detection, but the provided load_config implementation appears to only cat the base config (it does not merge the type-specific config). Additionally the configs list 'package.json' in excluded files for project types, which contradicts the SKILL.md's stated deep-analysis of package.json. These are design/engineering issues (not obviously malicious) but reduce internal consistency.
Instruction Scope
Runtime instructions and scripts operate on project files only (manifest.json, pages.json, package.json, .vue/.js files). The tool copies project files to a temporary directory and invokes 'skill-seekers' to do deep analysis — that behavior is coherent with project analysis. One privacy-relevant item: deep analysis explicitly extracts manifest fields such as AppID, permissions and third‑party SDKs (e.g., ad SDKs), which can contain sensitive identifiers; while relevant to analysis, this means provider or downstream tooling could see secrets embedded in project files. The SKILL.md does not instruct sending data to external endpoints, but the script can attempt to pip-install an external package (network activity) and will write temporary output to disk.
Install Mechanism
There is no registry-level install spec; the scripts prompt to install 'skill-seekers' via pip if it is missing. That is a normal but moderate-risk pattern: pip will fetch code from the Python package index (network download). The skill does not embed or download arbitrary binaries itself, but automatic installation is attempted when the user consents. If you do not trust 'skill-seekers', you should inspect or install it manually from a known source before running this skill.
Credentials
The skill does not request environment variables, credentials, or config paths in the manifest. That is appropriate for a local code analyzer. Caveat: the analyzer reads project files (and saves copies to temporary directories), so secrets stored in repository files (manifest.json, package.json, config files, or accidentally committed .env-like files) will be included in analysis outputs. The base config does attempt to exclude common secret files (e.g., .env patterns) but the shipped exclude lists contain small oddities (e.g., 'package.json' is listed as an excluded file in some type configs, which conflicts with expected parsing).
Persistence & Privilege
The skill is not marked always:true and does not declare elevated platform privileges. It writes temporary analysis output into an analysis-output directory under the project and creates temp config files; that is expected for a local analyzer. It does not modify other skills or system-wide settings.
What to consider before installing
What to consider before installing/running:
- The tool is an offline project analyzer and its requirements (a 'skill-seekers' engine) make sense for that purpose, but the implementation has bugs/inconsistencies (config merging and exclusion lists) — expect to test on a non-critical project first.
- Running the script may attempt to pip install 'skill-seekers' (network download). If you are concerned, install and inspect that package manually (pip install --no-deps --download or review its source) before allowing the script to auto-install.
- Deep analysis parses manifest.json / package.json and will record AppIDs, plugin names and other metadata; do not run this on repositories that contain secrets or sensitive credentials you do not want written to temporary output directories. Use Preview mode first to see which files would be analyzed.
- Because the config handling appears not to merge type-specific configs correctly and some configs exclude package.json, behavior may be unexpected; verify detection and exclusion behavior on a test repo and use the --preview/-Preview flag to check the file list before proceeding.
- Best practice: run the tool inside an isolated environment (container or VM) or on a copy of the repository, examine generated analysis files before sharing them, and review the 'skill-seekers' package source if you plan to use this in production.Like a lobster shell, security has layers — review code before you run it.
latestvk973ykzrqchjxpgmtydt7m3vt984pdcw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.