by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill appears to do what it claims, but it will make persistent, user-level changes: it can set your git global user.name/user.email, generate an SSH key at ~/.ssh/id_ed25519 (if one is absent), and upload that public key to your GitHub account via the gh CLI. Before running bootstrap/publish: (1) verify the repo path and backup any existing ~/.ssh/id_ed25519 and your git global config if you care about them; (2) run bootstrap only on machines you control; (3) be prepared to complete gh aut...详细分析 ▾
✓ 用途与能力
The name/description (publish reports to the ZeeLin site) matches the included scripts and instructions: copying assets, editing public/reports_config.json, running npm build, creating a feature branch, pushing, and opening a PR. Required binaries (git, python3, npm, optionally gh) are appropriate for these tasks.
ℹ 指令范围
SKILL.md and the scripts instruct the agent to configure global git identity, generate/upload an SSH key, verify push access, mutate repo files (reports_config.json and public/<category>), run npm build, commit, push, and create a PR. These actions are within the publishing scope but are intrusive (global git config changes, SSH key creation/upload, remote push dry-run and real push). The instructions do not read unrelated system files or request unrelated credentials.
✓ 安装机制
There is no install spec; the skill is instruction-plus-scripts only. That reduces supply-chain risk. Provided scripts are plain bash/Python and do not download arbitrary archives or execute code fetched from unknown servers.
ℹ 凭证需求
No environment variables or external credentials are declared or required. However, the bootstrap script will create an SSH key at ~/.ssh/id_ed25519 (if missing) and, when the GitHub CLI (gh) is available and authenticated, will upload that public key to the user's GitHub account. That is a sensitive operation but is reasonably explained by the need to ensure SSH-based repo push access.
ℹ 持久化与权限
The skill does not request always:true and does not autonomously persist itself into other skills. It does modify user-level state: git global config (user.name/user.email) and the user's ~/.ssh keys (possibly creating and uploading a key). Those are user-wide changes that persist beyond a single run and thus warrant explicit user consent before running bootstrap.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/8
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install zeelin-report-publisher
镜像加速npx clawhub@latest install zeelin-report-publisher --registry https://cn.longxiaskill.com