ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Force Unwrap Scanner

v1.0.0

扫描并报告 Swift 项目中的强制解包(!)和 try! 使用情况,识别潜在崩溃风险

0· 75·0 current·0 all-time
by@soponcd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim a Swift code scanner for `!` and `try!` usages; the declared requirements (no binaries, no credentials) are appropriate for a local static analysis tool.
!
Instruction Scope
SKILL.md tells the agent to cd into .agent/skills/force-unwrap-scanner and run ./RunSkill.sh [scan|report|fix], but the skill package contains only SKILL.md — the referenced script and its behavior are missing. The 'fix' mode is described as interactive and can modify code; without the actual script or a clear, auditable description of actions (backup, dry-run, file-write rules), executing it would give broad discretion to change source files.
Install Mechanism
No install spec (instruction-only) — lowest-risk delivery. However, because no implementation is present, there is ambiguity about how any required binaries or scripts would be provided in practice.
Credentials
The skill requests no environment variables, credentials, or config paths — that is proportionate for a local static analysis tool.
Persistence & Privilege
always is false and there is no declaration of persistence or system-wide configuration changes. The only notable privilege is the implied ability to read and (in 'fix' mode) modify workspace files, which is expected for a code fixer but should be explicitly documented and constrained.
What to consider before installing
This skill's purpose (scanning Swift for force-unwraps) is reasonable, but the SKILL.md expects a RunSkill.sh that is not included — do NOT run any unreviewed script. Before installing or invoking: 1) request the missing RunSkill.sh or the tool implementation and inspect it line-by-line (or ask the author to provide a reproducible, auditable implementation); 2) run only in 'scan' or 'report' (read-only) modes first; 3) back up your repository or run inside a disposable clone/container before trying 'fix'; 4) verify the script makes no network calls or credential usage and logs/asks for confirmations before modifying files; 5) prefer tools from a trusted source or add explicit checks (dry-run, explicit file-change list) before allowing automated fixes. If the author cannot supply the missing script or a clear implementation, treat this package as incomplete/untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eghqv4ewg20z1kg9bq3658n83jpgk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis

Comments