Python包鸿蒙兼容性测试技能
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is purpose-aligned, but it downloads package source with TLS verification disabled and runs third-party tests, so it should be reviewed and sandboxed before use.
Install only if you are comfortable running package-download and pytest workflows locally. Use a disposable virtual environment or container, avoid elevated privileges, and consider fixing the downloader to require normal TLS verification before testing packages.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or tampered connection could substitute altered package source, leading to false compatibility results or unsafe code being processed during testing.
The GitHub source downloader explicitly disables TLS hostname and certificate verification before fetching package source, which undermines the authenticity of remote code used by the checker.
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONEKeep TLS verification enabled, fail closed on certificate errors, use canonical package metadata or explicit user-provided source URLs, and prefer pinned versions or hashes.
Testing an untrusted package can run that package's code with the user's local permissions.
The advertised workflow runs pytest on package tests; this is central to compatibility checking, but pytest executes Python test code from the selected package.
4. **Run Tests** - pytest with verbose output, per-function reporting
Run the checker only in a disposable virtual environment or container, avoid sudo/admin execution, and test only packages or source locations you trust.