← 返回 Skills 市场
Package.json Generator
作者
Sunshine-del-ux
· GitHub ↗
· v1.0.0
391
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install package-json-generator
功能描述
生成专业的 package.json,包含最佳实践的脚本、依赖和配置。
安全使用建议
This skill's marketing and README promise more than the delivered code. Before installing or running it: 1) don't run it in a real project root — it will overwrite package.json without prompting; run it in a disposable directory first. 2) Note SKILL.md shows --name/--type flags but the script only accepts positional name and version — ask the author for a corrected CLI or updated script. 3) If you need true "best-practice" generation (dev/prod deps, validations), use a well-known tool (npm init, create-node-app, Yeoman generators) or review and extend the script yourself. 4) If you still want to use this skill, request the maintainer to add safety checks (refuse to overwrite, back up existing package.json), implement the advertised options, and document exact behavior.
功能分析
Type: OpenClaw Skill
Name: package-json-generator
Version: 1.0.0
The `package-json-generator.sh` script directly interpolates user-supplied arguments (`$1` and `$2`) into the generated `package.json` file without proper sanitization or escaping. This creates a JSON injection vulnerability, allowing an attacker to manipulate the structure or content of the `package.json` file by providing crafted input (e.g., containing double quotes or other JSON metacharacters). This is a flaw that allows an attack, classifying it as suspicious rather than malicious, as there is no evidence of intentional harmful behavior like data exfiltration or backdoor installation.
能力评估
Purpose & Capability
The name/description promise 'best-practice validation', dependency separation, semantic versioning, and a flag-style CLI, but the included package-json-generator.sh only writes a minimal package.json from two positional arguments (name and version). The declared capabilities are disproportionate to the provided code.
Instruction Scope
SKILL.md shows usage with options (--name, --type, --framework) and claims validations and dependency management, but the runtime artifact only generates a basic package.json and accepts positional args. The script unconditionally writes to package.json (cat > package.json), overwriting any existing file without confirmation — a destructive behavior not documented in SKILL.md. There is no network access or exfiltration, however the mismatch between instructions and implementation is significant.
Install Mechanism
No install spec (instruction-only) and only a simple shell script are included. No external downloads or package installs are performed by the skill bundle itself, which is low risk.
Credentials
The skill requests no environment variables, credentials, or config paths, and the script does not access sensitive env vars. This is proportionate to a package.json generator.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges or modify other skills' configuration. Its only filesystem effect is writing a package.json in the current directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install package-json-generator - 安装完成后,直接呼叫该 Skill 的名称或使用
/package-json-generator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- 首次发布 package-json-generator。
- 生成专业的 package.json 文件,包含标准化 scripts 和最佳实践。
- 支持开发/生产依赖分离及语义化版本。
- 提供命令行用法示例。
元数据
常见问题
Package.json Generator 是什么?
生成专业的 package.json,包含最佳实践的脚本、依赖和配置。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 391 次。
如何安装 Package.json Generator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install package-json-generator」即可一键安装,无需额外配置。
Package.json Generator 是免费的吗?
是的,Package.json Generator 完全免费(开源免费),可自由下载、安装和使用。
Package.json Generator 支持哪些平台?
Package.json Generator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Package.json Generator?
由 Sunshine-del-ux(@sunshine-del-ux)开发并维护,当前版本 v1.0.0。
推荐 Skills