ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

用于自动扫描 Vue2 项目的潜在风险,依赖安全,Webpack 配置风险, Babel 配置问题

v1.0.0

Skill 用于自动扫描 Vue2 项目的潜在风险,依赖安全,Webpack 配置风险, Babel 配置问题

0· 51·0 current·0 all-time
by@gfrxf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the actual behavior: scripts check package.json, vue.config.js, babel.config.js and run npm audit/npm list to surface dependency and config issues. No unrelated credentials, binaries, or network endpoints are requested.
Instruction Scope
SKILL.md instructs running scripts from the project root. The scripts only read project files (package.json, vue.config.js, babel.config.js) and invoke local npm commands (npm list, npm audit). There are no hidden remote endpoints or attempts to read unrelated system files. Some checks use simplistic parsing (e.g., core-js version parsing), which may produce false positives, but this is a correctness/quality issue rather than malicious behavior.
Install Mechanism
No install spec: instruction-only with bundled shell scripts. Nothing is downloaded or written to disk by an installer. Risk surface is limited to executing the included scripts.
Credentials
The skill requires no environment variables, no credentials, and no config paths beyond project files. It does run npm audit (which may access the network for audit data) but that is proportional to dependency scanning.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or system-wide config. It runs only when invoked by the user/agent.
Assessment
This skill appears coherent and limited to scanning a Vue2 project. Before running it: (1) review the included scripts yourself (they're small and bundled) to satisfy yourself they only access project files; (2) run them in a sandbox or CI environment if you are cautious — they call npm audit and npm list which may perform network calls; (3) ensure npm/node are installed in the environment where you run it; (4) be aware of some simplistic checks (e.g., core-js version parsing) that can cause false positives. No credentials are requested and there are no hidden remote endpoints in the scripts.
scripts/checks/check-webpack.sh:13
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751qrape54nkfp7vtpkmr7ch84dpva

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments