← 返回 Skills 市场

tvs-analyze

Name: tvs-analyze
Author: inksnowhailong

作者 inksnowhailong · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

214

总下载

当前安装

版本数

在 OpenClaw 中安装

/install tvs-analyze

功能描述

用户要求代码分析时，提供项目的结构、依赖关系、主要业务、存在问题等信息，帮助开发者快速了解项目。或用户问一些代码的作用时，寻找相关代码的业务逻辑相关代码，分析并总结其作用和实现细节。

安全使用建议

This skill appears to do what it claims. Before running: (1) inspect scripts/generate-madge.mjs (already included) — it only runs 'command -v', npx madge, and checks Graphviz; (2) be aware that using npx may download and execute packages from npm at runtime — if you prefer, preinstall madge and graphviz to avoid network fetches; (3) avoid running the tool on directories containing sensitive secrets you don't want written into generated artifacts; (4) resolve the minor path inconsistency in SKILL.md (where to run the script) before use. If you need higher assurance, run the script in a sandboxed environment or review/replace 'npx' invocation with an explicitly installed madge binary.

功能分析

Type: OpenClaw Skill Name: tvs-analyze Version: 1.0.0 The skill bundle provides project analysis capabilities but includes a Node.js script (`scripts/generate-madge.mjs`) that is vulnerable to command injection. The script uses `execSync` to execute shell commands (running `npx madge`) using unsanitized input from command-line arguments, which could be exploited to achieve Remote Code Execution (RCE) if the AI agent passes malicious user-provided paths to the script. While the functionality aligns with the stated purpose of code analysis, the lack of input sanitization in a shell-executing script represents a significant security risk.

能力评估

✓ Purpose & Capability

Name/description (project/code analysis, dependency graph, explain code) align with the provided assets: a SKILL.md describing analysis behavior and a small script to generate madge dependency graphs. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

SKILL.md focuses on analyzing project code, producing ASCII diagrams, file/dir overviews and (optionally) generating madge graphs. It does not instruct reading system secrets or unrelated files. Minor inconsistency: the docs show a path 'node .claude/skills/analyze/scripts/generate-madge.mjs' while the repository contains scripts/generate-madge.mjs — likely an install/path expectation but not a security issue.

ℹ Install Mechanism

No install spec (instruction-only) — lowest disk risk. The included script uses execSync to call 'npx madge' and 'dot' (Graphviz). npx may fetch packages from the npm registry at runtime (network activity and execution of remote code), which is expected for this workflow but worth noting as a moderate operational risk.

✓ Credentials

The skill requires no environment variables or credentials and writes output into a local '.claude/analyze' directory. Requests are proportionate to the stated purpose.

✓ Persistence & Privilege

always is false and the skill does not request permanent system-level presence or modify other skills. It creates a local output directory within the agent workspace — reasonable for its function.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install tvs-analyze
安装完成后，直接呼叫该 Skill 的名称或使用 /tvs-analyze 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- 首个发布版本，提供代码与项目分析能力。 - 支持项目结构、依赖关系、主要业务、现有问题等多维度分析。 - 针对代码片段，逐步拆解业务流程、输入输出和细节逻辑。 - 回复结构严格分为一句话总结、主体内容（分模块）、结尾建议或追问。 - 强制使用中文纯文本 ASCII 图，优先视觉化展示核心结构与流程。 - 回答语气直观清晰，适合零基础或非专业人士理解。

元数据

Slug tvs-analyze

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

tvs-analyze 是什么？

用户要求代码分析时，提供项目的结构、依赖关系、主要业务、存在问题等信息，帮助开发者快速了解项目。或用户问一些代码的作用时，寻找相关代码的业务逻辑相关代码，分析并总结其作用和实现细节。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 214 次。

如何安装 tvs-analyze？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install tvs-analyze」即可一键安装，无需额外配置。

tvs-analyze 是免费的吗？

是的，tvs-analyze 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

tvs-analyze 支持哪些平台？

tvs-analyze 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 tvs-analyze？

由 inksnowhailong（@inksnowhailong）开发并维护，当前版本 v1.0.0。