ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Package.json Generator

v1.0.0

生成专业的 package.json,包含最佳实践的脚本、依赖和配置。

0· 295·1 current·1 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise 'best-practice validation', dependency separation, semantic versioning, and a flag-style CLI, but the included package-json-generator.sh only writes a minimal package.json from two positional arguments (name and version). The declared capabilities are disproportionate to the provided code.
!
Instruction Scope
SKILL.md shows usage with options (--name, --type, --framework) and claims validations and dependency management, but the runtime artifact only generates a basic package.json and accepts positional args. The script unconditionally writes to package.json (cat > package.json), overwriting any existing file without confirmation — a destructive behavior not documented in SKILL.md. There is no network access or exfiltration, however the mismatch between instructions and implementation is significant.
Install Mechanism
No install spec (instruction-only) and only a simple shell script are included. No external downloads or package installs are performed by the skill bundle itself, which is low risk.
Credentials
The skill requests no environment variables, credentials, or config paths, and the script does not access sensitive env vars. This is proportionate to a package.json generator.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges or modify other skills' configuration. Its only filesystem effect is writing a package.json in the current directory.
What to consider before installing
This skill's marketing and README promise more than the delivered code. Before installing or running it: 1) don't run it in a real project root — it will overwrite package.json without prompting; run it in a disposable directory first. 2) Note SKILL.md shows --name/--type flags but the script only accepts positional name and version — ask the author for a corrected CLI or updated script. 3) If you need true "best-practice" generation (dev/prod deps, validations), use a well-known tool (npm init, create-node-app, Yeoman generators) or review and extend the script yourself. 4) If you still want to use this skill, request the maintainer to add safety checks (refuse to overwrite, back up existing package.json), implement the advertised options, and document exact behavior.

Like a lobster shell, security has layers — review code before you run it.

generatorvk971tg90rc7q2p76nd5h4y7x15825qtqlatestvk971tg90rc7q2p76nd5h4y7x15825qtqnodevk971tg90rc7q2p76nd5h4y7x15825qtqnpmvk971tg90rc7q2p76nd5h4y7x15825qtqpackage.jsonvk971tg90rc7q2p76nd5h4y7x15825qtq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis

Comments