← 返回 Skills 市场

axios-supply-chain-attack-check

Name: axios-supply-chain-attack-check
Author: preciousdust

作者 hometown · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install axios-supply-chain-attack-check

功能描述

Provides a quick 1-minute script to detect and handle malicious axios versions and backdoor dependencies in front-end projects.

使用说明 (SKILL.md)

Skill Instructions

适用场景

适用于所有前端项目，当检测到前端项目依赖存在axios恶意版本（1.14.1/0.30.4）、[email protected]后门依赖，或出现开发/构建环境异常外联、未知脚本执行时，立即执行本技能完成应急处置。

紧急排查

依赖版本风险核查及处理

执行以下命令检查项目依赖树中是否存在风险版本：

bash ./scripts/check-axios-risk.sh

安全使用建议

This script appears to do what it says, but it's intrusive: it will uninstall packages, remove node_modules and lockfiles, reinstall dependencies from the network, and delete specific files on the host. Before running: (1) review the script and its file-deletion list; (2) commit or back up your repository and lockfiles so you can revert; (3) consider running the detection lines manually first (npm list ...) to confirm findings; (4) run remediation in a safe environment (CI job, dev container, or isolated machine) if possible; (5) be aware npm install will contact the registry to download packages and that using axios@latest may update to a different minor/major version — verify compatibility. If you need reduced-risk diagnosis, run only the checks and review results before allowing automated remediation.

能力标签

crypto

能力评估

✓ Purpose & Capability

The script's checks (npm list axios, npm list plain-crypto-js) and remediation steps (npm uninstall, rm -rf node_modules and lockfiles, npm install, delete specific system files) directly support the stated goal of detecting and mitigating known axios/plain-crypto-js supply-chain compromises. No unrelated credentials, binaries, or services are requested.

ℹ Instruction Scope

Instructions are narrowly scoped to run the included shell script, which inspects dependency trees and specific system paths. However, the script performs destructive actions (uninstalling packages, deleting node_modules and lockfiles, reinstalling from the network, and deleting filesystem paths like /Library/Caches/com.apple.act.mond and /tmp/ld.py). These are coherent with remediation but have side effects and require appropriate permissions and backups before running.

✓ Install Mechanism

This is an instruction-only skill with no install spec; nothing is written to disk by an installer beyond the provided script. Low install-surface risk.

✓ Credentials

No environment variables, credentials, or config paths are requested. The script uses npm and filesystem operations which are proportionate to checking and remediating a Node.js front-end project.

✓ Persistence & Privilege

Skill does not request persistent/always-on presence and does not modify other skills or system-wide agent configs. It runs on-demand and requires no elevated platform privileges beyond what the user grants when executing the script.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install axios-supply-chain-attack-check
安装完成后，直接呼叫该 Skill 的名称或使用 /axios-supply-chain-attack-check 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of axios-supply-chain-attack-check. - Provides a 1-minute rapid inspection script for detecting malicious axios versions (1.14.1/0.30.4) and related supply chain threats. - Suitable for all frontend projects to quickly check dependency trees and handle emergencies.

元数据

Slug axios-supply-chain-attack-check

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题