← 返回 Skills 市场
114
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install npm-supply-chain-security
功能描述
Help secure JavaScript projects by detecting malicious npm packages, enforcing trusted publishing, verifying releases, and auditing dependencies for threats.
安全使用建议
This skill appears coherent and aligned with its stated purpose, but the package comes from an unknown source with no homepage — so do not run any example scripts or CI steps verbatim without review. Before using: (1) inspect and test Python/JS snippets in a sandbox, (2) ensure any tokens used are scoped and short-lived (least privilege), (3) prefer GitHub Actions workflows that use OIDC or limited publish tokens, and (4) verify the skill/author provenance (repo, signatures, or known maintainer) before applying its automation to production repositories.
功能分析
Type: OpenClaw Skill
Name: npm-supply-chain-security
Version: 1.0.0
The skill bundle provides educational content and utility scripts focused on npm supply chain security, including GitHub Actions workflows for trusted publishing and Python/JavaScript scripts for auditing dependencies. No malicious behavior, data exfiltration, or prompt injection attempts were found in SKILL.md or the associated code examples.
能力评估
Purpose & Capability
Name/description (npm supply-chain security) match the content of SKILL.md: guidance, heuristics, and example scripts for verifying releases, configuring trusted publishing, and auditing dependencies. Nothing required by the skill (no env vars, no installs) is disproportionate to that purpose.
Instruction Scope
Runtime instructions and code examples only access npm registry and GitHub APIs and read package.json for local audits — all relevant to the stated purpose. The examples do not instruct reading unrelated system files or exfiltrating data to unknown endpoints.
Install Mechanism
No install spec or executable downloads are present (instruction-only). This minimizes disk footprint and reduces install-time risk.
Credentials
The skill declares no required environment variables or credentials. Examples reference typical tokens (NODE_AUTH_TOKEN, short-lived tokens) appropriate for publishing workflows; nothing asks for unrelated secrets or broad credentials.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. There is no evidence it attempts to persist credentials or alter agent-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install npm-supply-chain-security - 安装完成后,直接呼叫该 Skill 的名称或使用
/npm-supply-chain-security触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release – protect JavaScript projects from npm supply chain attacks using practical security examples and heuristics.
- Explains key supply chain risks, including real-world incidents
- Details best practices: trusted publishing, release verification, dependency monitoring, and token management
- Provides example code for trusted publishing (npm, GitHub Actions) and red flag detection scripts (Python, JavaScript)
- Lists tool dependencies for script usage
元数据
常见问题
Npm Supply Chain Security 是什么?
Help secure JavaScript projects by detecting malicious npm packages, enforcing trusted publishing, verifying releases, and auditing dependencies for threats. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 114 次。
如何安装 Npm Supply Chain Security?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install npm-supply-chain-security」即可一键安装,无需额外配置。
Npm Supply Chain Security 是免费的吗?
是的,Npm Supply Chain Security 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Npm Supply Chain Security 支持哪些平台?
Npm Supply Chain Security 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Npm Supply Chain Security?
由 Robinyves(@robinyves)开发并维护,当前版本 v1.0.0。
推荐 Skills