by 安全扫描
OpenClaw
可疑
medium confidence该技能的目的与其说明相符(检查并更新依赖),但 SKILL.md 假定存在包管理器、git 和测试命令,而技能元数据却未声明任何必需的二进制文件或环境——这一不一致需在安装或于真实项目中运行前予以澄清。
评估建议
This 技能 应用ears to do what it says, but the 技能.md assumes 工具s (npm, pip, cargo, go, git) and test commands exist while the metadata declares none—ask the publisher to clarify required binaries and exact 更新/test/commit commands. Before 运行ning: (1) 运行 it on a non-critical branch or clone, (2) ensure you have 备份s and CI or tests 配置d, (3) 验证 the 工具 will prompt for confirmation before 应用lying major 更新s, and (4) prefer 运行ning manually the first time to review the 生成d 报告 and change记录s. If you need highe...详细分析 ▾
ℹ 用途与能力
The name/description (auto-检查s and 更新s dependencies) aligns with the instructions (检测 package 管理器, 运行 outdated 检查s, 更新 in stages). However the metadata declares no required binaries while the 运行time instructions expect npm, pip, cargo, go 工具chAIn and git to exist. That mismatch is unexplAIned.
ℹ 指令范围
指令严格限定于既定用途(扫描清单、运行包管理器的 outdated 命令、评估风险、更新、运行测试、提交)。它们不会尝试窃取数据或连接意外端点。
顾虑:文档对“在何处运行”(项目根目录检测)、“运行什么测试命令”、“具体如何执行更新”(调用哪些更新命令)描述模糊,并默认提交是可接受的且存在 VCS。这些空白赋予代理广泛裁量权,若不受约束可能导致意外变更。
✓ 安装机制
Instruction-only 技能 with no 安装 spec or code files, so nothing is written to disk by the 技能 itself. This is low 安装 risk.
⚠ 凭证需求
No 环境 variables or 凭证s are 请求ed, which is 应用ropriate. However the 技能 implicitly requires 访问 to local developer 工具s (npm, pip, cargo, go, git) and network 访问 to package registries; these are not declared in the metadata. That omission reduces transparency and could surprise users.
✓ 持久化与权限
always:false and no 安装 steps mean the 技能 does not 请求 permanent privileged presence. It does instruct committing changes to the 仓库, which modifies user data, but this is normal for a dependency-更新r if user consents.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.0
输出格式
● Pending
安装命令
点击复制官方npx clawhub@latest install package-updater
镜像加速npx clawhub@latest install package-updater --registry https://cn.longxiaskill.com镜像同步中
技能文档
概述
扫描项目依赖并检查更新,展示变更日志,识别破坏性变更。何时使用
- 用户请求“update dependencies”或“check for updates”
- 定期维护
工作原理
步骤1:检测包管理器
package.json → npm pyproject.toml → pip Cargo.toml → cargo go.mod → go步骤2:检查过时依赖
npm: npm outdated --json pip: pip list --outdated --format=json cargo: cargo outdated步骤3:风险评估
Patch (1.2.3 → 1.2.4):低风险 - 自动更新 Minor (1.2.3 → 1.3.0):中等 - 展示变更日志 Major (1.2.3 → 2.0.0):高 - 展示破坏性变更输出格式
Major Updates: express 4.17.1 → 5.0.0 [BREAKING changes] Minor Updates: axios 0.21.1 → 0.21.4 [Bug fixes] Patch Updates: debug 4.3.1 → 4.3.4 [Security patch]更新策略
- 先展示报告 - 绝不盲目更新
- 分阶段更新:patches → minors → majors
- 每次更新后运行测试
- 每次更新单独提交
评论 登录后评论。暂无评论。