← 返回 Skills 市场

Fix NPM Vulnerabilities

Name: Fix NPM Vulnerabilities
Author: jelllove

作者 jelllove · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install fix-npm-vuln

功能描述

This skill should be used when the user asks about "npm vulnerabilities", "npm audit", "fix npm security", "security vulnerabilities in packages", "vulnerabl...

使用说明 (SKILL.md)

NPM Vulnerability Fix Skill

This skill provides guidance when users mention npm security vulnerabilities and suggests the automated fix workflow.

When This Skill Applies

This skill activates when the user's request involves:

Running npm audit or discussing audit results
Fixing npm security vulnerabilities
Updating vulnerable npm dependencies
Dealing with outdated packages that have known CVEs
Security scanning of Node.js projects

Guidance

When a user mentions npm vulnerabilities or security issues in their Node.js project, suggest using the /fix-npm-vuln slash command which provides a complete automated workflow:

Clean working tree — reverts uncommitted changes (with confirmation)
Branch management — switches to main, pulls latest, creates a fix branch
Vulnerability scanning — scans all package.json directories
Automated fixing — runs npm audit fix with smart escalation
Clean environment — removes all node_modules, build caches, and reinstalls dependencies fresh
Build verification — ensures the project still builds
Test verification — ensures tests still pass
Summary report — displays all changes made

Suggested Response

When this skill activates, inform the user:

You can use /fix-npm-vuln to run a complete automated npm vulnerability fix workflow. It will scan all project directories, fix vulnerabilities, verify builds and tests, and create a dedicated branch with all the changes. Would you like to run it?

Important Notes

The command requires a git repository to work
It will create a new branch for the fixes (does not modify main directly)
User confirmation is required before reverting any uncommitted changes
Build and test failures are handled interactively

Tool Auto-Installation

If a tool required to complete any step is not installed on the current machine, apply the following policy before asking the user:

Check availability — verify whether the tool is missing (e.g. where tool or which tool returns nothing)
Assess risk — a tool is considered low-risk if it is:
- Publicly available (official npm package, well-known CLI, OS package manager)
- Widely used and maintained (e.g. npm-check-updates, snyk, yarn, pnpm)
- Non-destructive by default (does not modify system files, does not require elevated permissions)
Auto-install if low-risk — install silently without asking the user:
- npm global tool: npm install -g \x3Ctool>
- winget (Windows): winget install \x3Ctool>
- Other package managers as appropriate for the OS
Ask the user if high-risk — if the tool requires admin rights, modifies system config, or is from an unverified source, show the install command and ask for confirmation before proceeding.

安全使用建议

This skill appears to genuinely aim at automating npm vulnerability fixes, but it includes a policy to auto-install tools silently (npm -g, winget, etc.) and will modify your git repo (reverting changes, creating branches, running builds/tests). Before installing or running it: 1) disable or remove the silent auto-install behavior and require explicit consent for any global/system installs; 2) ask which exact packages (names and versions/hashes) it will install and prefer pinned versions from known maintainers; 3) run the workflow in a disposable environment (container or VM) or on a CI branch to avoid unintended changes; 4) ensure you have a backup of your repo and CI runs before merging automated fixes; 5) require confirmation for any destructive actions (revert, global install, or admin-elevated commands). These mitigations reduce risk while still allowing the skill to perform its intended purpose.

功能分析

Type: OpenClaw Skill Name: fix-npm-vuln Version: 1.0.1 The SKILL.md file contains instructions that direct the AI agent to perform silent global installations of software (e.g., 'npm install -g <tool>') without seeking user confirmation. While the stated intent is to facilitate npm vulnerability remediation using tools like 'snyk' or 'pnpm', the instruction to bypass user consent for system-level changes is a significant security risk that could be exploited to install arbitrary packages. This behavior qualifies as a high-risk vulnerability/pattern rather than confirmed malice.

能力评估

✓ Purpose & Capability

Name/description and SKILL.md align: the skill focuses on running npm audit/fixes, scanning package.json, creating a fix branch, building and testing. Required resources declared (none) are consistent with a guidance-only skill.

⚠ Instruction Scope

SKILL.md instructs the agent to read project files (package.json), manage git state (revert uncommitted changes, switch branches), run build/tests, and — importantly — to auto-install missing tools. The silent auto-install policy (install without asking for 'low-risk' tools) grants the agent broad discretion to download and run software and modify the system, which goes beyond simply advising on npm vulnerabilities.

⚠ Install Mechanism

Although the skill bundle has no install spec, the runtime policy directs using npm global installs, winget, and other package managers. Global npm installs and package-manager installs download and execute code from external registries — this is moderate-to-high risk when done automatically and silently, especially if the exact packages are not pre-specified or pinned.

✓ Credentials

The skill does not request credentials or environment variables, which is appropriate. However, the workflow may require network access and elevated permissions to install global tools and will modify the user's git repository; these side effects are not expressed as required permissions and could surprise users.

ℹ Persistence & Privilege

The skill is not always-enabled and does not modify other skills, but its instructions modify system state (installing global tools) and repository state (creating branches, reverting changes). That behavior is expected for remediation but should require explicit user confirmation; the SKILL.md's silent install rule is the main privilege concern.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install fix-npm-vuln
安装完成后，直接呼叫该 Skill 的名称或使用 /fix-npm-vuln 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

Re-publish with formatting fixes

v1.0.0

Initial release of fix-npm-vuln: - Introduces a skill for addressing npm vulnerabilities in Node.js projects. - Guides users on when and how to use the /fix-npm-vuln automated fix workflow. - Outlines step-by-step process: from scanning to auto-fixing vulnerabilities, branch management, build/test verification, and summary reporting. - Describes auto-installation policy for required tools, handling common package managers and safety checks. - Provides recommended user-facing response and important operational notes.

元数据

Slug fix-npm-vuln

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题