by 安全扫描
OpenClaw
可疑
high confidenceThe skill mostly matches its stated purpose (scaffolding a project) but contains concrete incoherences and bugs (a hardcoded absolute user path and an attempt to create a README.md as a directory) that make its behavior unpredictable and not proportionate to its description.
评估建议
This skill intends to scaffold a project, but the shipped code is buggy and user-specific. Before installing or running: (1) review and modify index.js to use a portable home directory (e.g., require('os').homedir() or process.env.HOME) instead of '/Users/ton'; (2) remove 'README.md' from the directory-creation loop and create files separately so you don't try to mkdir a filename; (3) add checks to avoid clobbering existing files and return the list of created files as documented; (4) test in a ...详细分析 ▾
⚠ 用途与能力
Name/description say 'create scaffold in mission-control workspace' and no credentials/install are requested, which is appropriate — but the code hardcodes the target directory as '/Users/ton/.openclaw-workspace/projects/mission-control' instead of using the documented allowed path (~/.openclaw-workspace/...). The hardcoded '/Users/ton' makes the skill user-specific and non-portable; that mismatch is not justified by the description.
⚠ 指令范围
SKILL.md describes checks (existence), creating folders and a README, and returning a list of created files. The shipped index.js does not perform an existence check/conditional behavior, does not return a list, and instead always mkdirs. Worse, the 'structure' array includes 'README.md' which the code treats as a directory (mkdirSync) and then later attempts to write a README.md file to the same path — this will cause errors (EISDIR or write failures) and contradicts the documented behavior.
✓ 安装机制
No install spec or external downloads; the skill is instruction/code-only and relies only on Node.js fs/path. There are no network fetches or remote installers to review.
ℹ 凭证需求
No env vars or credentials are requested (appropriate). The code touches the filesystem under a hardcoded absolute home path, but does not attempt to read environment variables or secrets. The hardcoded user path is unusual but not evidence of secret exfiltration.
✓ 持久化与权限
The skill does not request elevated platform privileges and always:false. It writes files under a user directory (expected for a scaffolding tool) and does not modify other skills or global config.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/4
Initial release of scaffold-project - Creates a standard project structure within the mission-control workspace. - Automatically generates base folders: frontend, backend, database, integrations, marketing. - Creates a README.md file describing the project. - Checks for existing folders before creating new ones. - Returns a list of all created files.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install scaffold-project
镜像加速npx clawhub@latest install scaffold-project --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制