Web Module Runner
v1.0.0๐ฉโ๐ The tiny all-in-one development tool for modern web apps. web-module-runner, javascript, build-tool, esmodules, preact.
โญ 0ยท 82ยท0 currentยท0 all-time
bybytesagain4@xueyetianya
MIT-0
Download zip
LicenseMIT-0 ยท Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included script and SKILL.md. The code implements a local logging/utility tool that records commands and provides exports/stats, which is coherent with the stated purpose.
Instruction Scope
Instructions and the script operate only on a data directory under the user's home (~/.local/share/web-module-runner) and stdout. They do log arbitrary user-provided inputs (the values you pass to commands), so the skill can end up storing sensitive strings if you supply them. There is no code that reads unrelated system files or sends data to external endpoints.
Install Mechanism
No install spec โ instruction-only with a single included shell script. Nothing is downloaded or installed from remote URLs; no extract or package manager usage is present.
Credentials
No environment variables or credentials are requested. The script uses HOME and standard POSIX utilities only. However, because it persistently logs any input you provide, it may inadvertently collect secrets (API keys, tokens, passwords) if you pass them as command arguments.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide agent settings, and its persistent footprint is limited to a user-local directory (~/.local/share/web-module-runner). This is proportionate for a CLI logging tool.
Scan Findings in Context
[unicode-control-chars] unexpected: A pre-scan flagged unicode control characters in SKILL.md. This repository otherwise contains only an emoji and YAML frontmatter; the control-char finding may be a benign artifact (invisible characters or formatting), but could also be an attempt at prompt-injection in the metadata. The script itself contains no network calls or code that would leverage such injection.
Assessment
This skill is a local logging/utility tool and appears coherent with its description, but take these precautions before installing or using it:
- Do not pass secrets (API keys, passwords, tokens) as command arguments; anything you pass can be appended to logs under ~/.local/share/web-module-runner/*.log and history.log.
- Inspect and optionally remove the data directory (~/.local/share/web-module-runner) if you stop using the tool. Check and tighten file permissions if needed (e.g., chmod 700 the directory).
- Review SKILL.md raw content for any unexpected invisible Unicode/control characters (the scanner flagged these). If you see suspicious hidden characters, ask the provider for a clean copy or avoid installing.
- The JSON export routine in the script has minor bugs (it writes a literal "\n]" which may not produce valid JSON newlines), so validate exported files before feeding them into other tools.
- If you want stronger isolation, run the script in an isolated environment (container or dedicated user account) to avoid accidental logging of sensitive system state.
Overall: functionality is coherent and local-only, but be careful about what you log.Like a lobster shell, security has layers โ review code before you run it.
latestvk977kp3f31570tj7jnvg0g3a91839bfc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.