Risk Forge
PassAudited by ClawScan on May 14, 2026.
Overview
Risk Forge appears to be a legitimate testing and report-generation skill, with the main caveat that its local helper reads git metadata and writes report files.
This skill is reasonable to use for local QA and risk-report generation. Before running the helper, make sure you are comfortable with it using Node/git, including your git username and branch/commit in reports, and writing HTML/Markdown files in the current working directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generating a report will run local git commands in the current environment.
The helper executes local git commands. The commands are fixed and match the documented report metadata feature, but report generation does execute commands on the user's machine.
const { execSync } = require('child_process'); ... execSync('git config user.name', { encoding: 'utf8' })Run the helper only in repositories you intend to analyze, and keep command strings fixed rather than adding user-supplied shell fragments.
Running the tool may create or overwrite local .html and .md report files where it is executed.
The script writes report files into the current working directory using a provided function name. This is expected for a report generator, but the code does not enforce the SKILL.md-described reports directory or sanitize the report name.
const htmlOutputPath = path.join(process.cwd(), `${functionName}-test-report.html`); fs.writeFileSync(htmlOutputPath, htmlReport);Review the output location and feature name before running; the publisher should constrain output to the documented reports directory and sanitize filenames.
Generated reports may contain your git username and current branch/commit.
The report intentionally includes local git identity and version metadata. This is disclosed and purpose-aligned, but it can reveal the user's configured git name and repository branch/commit when reports are shared.
`{{TESTER_NAME}}` - 测试人员姓名(自动从git配置获取); `{{VERSION_INFO}}` - 版本信息(自动从git获取)Check generated reports before sharing them, and adjust git config if you do not want your configured name included.
Package identity and version history are harder to reconcile from the artifacts alone.
The bundled metadata differs from the submitted registry metadata, which lists a different owner ID and version. This is a provenance/version consistency issue, not evidence of malicious behavior.
"ownerId": "kn7agf701n3afzzbq8ge0wa8k1809wm4", "version": "0.1.0"
The publisher should align registry and bundled metadata and provide a source or homepage for easier provenance review.