← 返回 Skills 市场
Sbom Generator
作者
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
45
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sbom-generator
功能描述
Generate Software Bill of Materials (SBOM) in CycloneDX or SPDX format — inventory all dependencies, licenses, vulnerabilities, and supply chain metadata. Re...
安全使用建议
This skill appears to implement an SBOM generator and inspects repository lockfiles and manifests, which is expected. However:
- The SKILL.md relies on local tools (python3, npm, npm audit, and possibly go/cargo/maven/gradle) but the skill metadata lists no required binaries — ask the publisher to declare required tooling.
- npm audit and similar vulnerability checks may perform network calls to vendor advisory services; run the tool in an environment where network access is acceptable and you trust those services.
- The SKILL.md you provided is truncated at the vulnerability section; request the full SKILL.md and verify there are no steps that read unrelated system files or send data to external endpoints.
- Best practice: run this in a sandbox or on a copy of the repository (read-only when possible), verify it doesn’t require elevated privileges, and ensure necessary tools are installed from trusted sources before invoking.
If the publisher updates the metadata to list the required binaries and clarifies network usage (and you confirm the rest of the instructions are benign), this would reduce the remaining concerns.
功能分析
Type: OpenClaw Skill
Name: sbom-generator
Version: 1.0.0
The sbom-generator skill is a legitimate tool for creating Software Bill of Materials. It uses standard shell commands and Python scripts to parse local package lock files (e.g., package-lock.json, requirements.txt, go.sum) and integrates with official vulnerability scanners like npm audit and govulncheck. No evidence of data exfiltration, malicious execution, or prompt injection was found.
能力评估
Purpose & Capability
The skill's name and description (SBOM generation in CycloneDX/SPDX) align with the actions in SKILL.md: detecting package managers, parsing lockfiles, license analysis, and vulnerability checks. However, the skill metadata declares no required binaries or credentials while the instructions explicitly rely on local tools (python3, npm, possibly go/cargo, npm audit, etc.). The lack of declared tooling is an incoherence: a legitimate SBOM helper should list the tools it needs.
Instruction Scope
The runtime instructions stay within the expected scope: they inspect project files (package-lock.json, requirements.txt, go.sum, Cargo.lock, etc.), parse them, and run local vulnerability/license checks. I saw no instructions to read unrelated system files, access secrets, or exfiltrate data to third-party endpoints. Note: npm audit will contact the npm advisory service (expected for vulnerability checks). The SKILL.md is truncated at the vulnerability step — the remainder could add behavior not visible here.
Install Mechanism
This is an instruction-only skill with no install spec, so nothing will be written to disk by the skill package itself. That is low-risk. Because there is no install step, the skill depends on the agent environment already having the needed tools — which should have been declared.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for a local SBOM tool. However, it does implicitly require local binaries (python3, npm, possibly Go, Rust, Java tooling) and network access for npm audit. The omission of these requirements is a proportionality/coherence concern: the skill asks the runtime to do work requiring tools and network access that are not declared in metadata.
Persistence & Privilege
The skill does not request always:true or any persistent privileges. It's user-invocable and can be invoked autonomously per platform defaults. Nothing in the visible SKILL.md attempts to modify other skills or global agent config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sbom-generator - 安装完成后,直接呼叫该 Skill 的名称或使用
/sbom-generator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of sbom-generator.
- Generates Software Bill of Materials (SBOM) in CycloneDX or SPDX formats for compliance and security audits.
- Automatically detects popular package managers for multiple languages (Node.js, Python, Go, Rust, Ruby, PHP, Java, .NET).
- Inventories all dependencies, their versions, licenses, and known vulnerabilities.
- Provides detailed license analysis, including copyleft detection and distribution.
- Offers dedicated commands for CycloneDX, SPDX outputs, and a focused license compliance report.
元数据
常见问题
Sbom Generator 是什么?
Generate Software Bill of Materials (SBOM) in CycloneDX or SPDX format — inventory all dependencies, licenses, vulnerabilities, and supply chain metadata. Re... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 45 次。
如何安装 Sbom Generator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sbom-generator」即可一键安装,无需额外配置。
Sbom Generator 是免费的吗?
是的,Sbom Generator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Sbom Generator 支持哪些平台?
Sbom Generator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Sbom Generator?
由 charlie-morrison(@charlie-morrison)开发并维护,当前版本 v1.0.0。
推荐 Skills