by 安全扫描
OpenClaw
安全
medium confidenceThe skill's instructions and requirements are coherent with a dependency-audit utility, but it relies on npx (remote npm package execution) and doesn't declare that dependency — this is expected for the task but worth caution.
评估建议
This skill appears to do what it claims: run osv-ui via npx, show a dashboard, and propose fixes. Before using it, ensure you: (1) have Node/npm and npx available or adjust the instructions; (2) understand that npx will fetch and execute code from the npm registry — review or pin the osv-ui package source/version if you require higher assurance; (3) run scans in an isolated environment (container/VM) if you're worried about executing remote code or exposing local registry credentials; (4) verify...详细分析 ▾
ℹ 用途与能力
The skill is a CVE/audit helper and its SKILL.md shows exactly the commands you'd expect (npx osv-ui, parse JSON, show fixes). However the metadata declares no required binaries while the instructions assume node/npm/npx are available; that's a minor inconsistency but not malicious.
✓ 指令范围
Instructions stay on-task: scan projects, export JSON, open a dashboard, show fix commands, and re-scan after applying fixes. The skill explicitly requires user confirmation before applying changes. It does not instruct reading unrelated system files or exfiltrating data.
ℹ 安装机制
There is no install spec (instruction-only). Runtime use relies on npx which will fetch and execute code from the npm registry if not installed locally — this is normal for this use case but carries the usual risk of executing remote package code.
ℹ 凭证需求
The skill requests no environment variables or credentials (appropriate). Be aware that running npm/npx/npm install can implicitly use local npm config (.npmrc) or registry auth tokens present on the host; the SKILL.md does not acknowledge that, so credentials could be used by those commands even though not requested.
✓ 持久化与权限
The skill is not always-enabled, does not request persistent privileges, and does not modify other skills or global agent configuration. It is user-invocable and can be run autonomously by the agent (default), which is normal.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install osv-ui
镜像加速npx clawhub@latest install osv-ui --registry https://cn.longxiaskill.com