matrixbnuhs
v1.0.0Matrix-BNUHS知识协作网络系统。为教育场景提供多维度知识组织、协作编辑、版本控制和权限管理能力。当用户需要(1)搭建知识管理系统、(2)构建教育场景应用、(3)实现多维矩阵组织、(4)创建协作编辑功能、(5)部署React前端应用时使用此skill。基于React + TypeScript构建,支持知识...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description describe a React+TypeScript knowledge collaboration system and the SKILL.md contains repository layout, dev commands, APIs, and deployment steps that match that purpose. Nothing requested (envs, binaries, config paths) is incongruent with the stated goal.
Instruction Scope
Instructions tell the agent to git clone https://github.com/wanyview1/Matrix-BNUHS.git, run npm install, npm run dev/build, optionally install Vercel CLI globally, and provide Dockerfile guidance — all appropriate for a project README but they cause the agent/operator to fetch and run external code not included in the skill.
Install Mechanism
There is no install spec and no code files in the skill bundle (instruction-only). This minimizes disk-level installs by the skill itself, but the runtime instructions rely on cloning an external GitHub repo and running npm/docker commands, which means external code will be executed if followed.
Credentials
The skill declares no required environment variables, credentials, or config paths. The instructions do not request secrets or unrelated credentials — proportional to a frontend/project README.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It does suggest global installation of the Vercel CLI (optional), which modifies the environment if performed by the operator.
Assessment
This skill is essentially a README telling you how to clone and run an external GitHub project. That is coherent with its description, but cloning and running external code can execute arbitrary code on your machine or environment. Before running the commands: (1) inspect the GitHub repo and specific commit/tag you will clone (prefer a pinned commit or release), (2) review package.json and Dockerfile for unexpected postinstall scripts or network calls, (3) avoid installing global CLIs unless necessary—use containers or ephemeral sandboxes instead, (4) run npm install and builds inside a container or VM, (5) verify licensing and project origin. If you want higher assurance, request that the skill bundle include the code (or a signed release URL and checksum) so the skill's contents can be statically reviewed.Like a lobster shell, security has layers — review code before you run it.
latestvk978fxzph5znygknp2yredzjdx84n87n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.