by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (fetching KBO results via the kbo-game npm package) matches its instructions, but it omits required prerequisites and instructs global npm installation which modifies the host system — the manifest and runtime instructions are not fully consistent or least-privilege.
评估建议
This skill appears to do what it says (use kbo-game to fetch KBO scores) but it has a few practical and security concerns you should consider before installing or allowing it to run: 1) It requires Node.js and the ability to install global npm packages, but the skill metadata does not declare these prerequisites — expect the agent to run `npm install -g kbo-game` which modifies system-wide files and can require sudo. 2) Installing a global npm package at runtime is persistent and higher-privileg...详细分析 ▾
ℹ 用途与能力
The skill claims to fetch KBO game data using the kbo-game npm package and the SKILL.md shows exactly that flow (importing getGame and formatting results). This capability matches the name/description. However, the manifest metadata (requirements) does not declare Node.js or npm or that a global package will be required, which is an inconsistency.
ℹ 指令范围
Runtime instructions are narrowly focused on installing/using kbo-game and formatting results. They do not request unrelated files or secrets. A discrepancy: the snippet relies on an environment variable (GLOBAL_NPM_ROOT) set in the wrapper command but the skill metadata doesn't declare it; the doc also forbids automatic fallbacks to other sources and insists on global installs.
⚠ 安装机制
There is no install spec in the manifest, but the SKILL.md instructs the agent to run `npm install -g kbo-game` if the package is missing. Installing a global npm package at runtime writes to system-wide locations and can require elevated privileges (or change the system state). While npm is a known registry, an instruction-only skill that performs global installs is higher risk and should have an explicit install mechanism and manifest declaration.
ℹ 凭证需求
The skill does not request secrets or credentials (no TOKENS/KEYS), which is appropriate. Still, it uses GLOBAL_NPM_ROOT and expects Node.js 18+ and global npm install capability — none of which are declared in the skill's requirements. The expected write access to global npm directories is a privilege that should be declared and justified.
⚠ 持久化与权限
The skill state is not marked always:true (good), but instructing a global npm install means the skill will change system state persistently (new global package files). The SKILL.md also calls the skill '조회 전용' (read-only), which contradicts the install step. This persistent, system-wide modification is a notable privilege and should be explicit and gated by user consent.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/17
- Initial release: Easily fetch and summarize KBO league game results and schedules for any date. - Uses the kbo-game npm package to display game scores, statuses, and schedules. - Supports filtering by team and user-friendly, compact scoreboard summaries. - Requires global installation of the kbo-game package; does not fallback to unofficial sources. - Handles requests like “today’s KBO games,” “yesterday’s results,” or specific-date scoreboards.
● 可疑
安装命令
点击复制官方npx clawhub@latest install kbo-results
镜像加速npx clawhub@latest install kbo-results --registry https://cn.longxiaskill.com 镜像可用