nanoclaw
本页为离线静态分析自动生成;分数为信号驱动启发式,请结合证据与人工复核使用。
项目概况
- 名称:
nanoclaw - 版本:
1.2.6 - Git HEAD:
298c3eade4a8 - 最近提交:
2026-03-04T23:48:23+02:00 - 许可证:
LICENSE - 语言: TypeScript(134), Markdown(59), YAML(15), JSON(9), Shell(4)
README 摘要
An AI assistant that runs agents securely in their own containers. Lightweight, built to be easily understood and completely customized for your needs.
评分(0-10)
| 维度 | 分数 | 等级 |
|---|---|---|
| 代码质量 | 6.5 | 🔵 良好 |
| 可维护性 | 7.0 | 🔵 良好 |
| 健壮性 | 4.0 | 🟡 一般 |
| 可持续性 | 5.5 | 🟡 一般 |
| 可迁移性 | 0.0 | 🔴 不足 |
| 综合 | 4.6 | 🟡 一般 |
工程信号
CI / 测试
- CI: 5 个 workflow
.github/workflows/bump-version.yml,.github/workflows/ci.yml,.github/workflows/skill-drift.yml,.github/workflows/skill-pr.yml,.github/workflows/update-tokens.yml
- CI 操作系统: linux
- 测试信号:
file:setup/environment.test.ts,file:setup/platform.test.ts,file:setup/register.test.ts,file:setup/service.test.ts,file:skills-engine/__tests__/apply.test.ts,file:skills-engine/__tests__/backup.test.ts,file:skills-engine/__tests__/constants.test.ts,file:skills-engine/__tests__/customize.test.ts…
代码质量工具
- Lint / 格式化: file:.prettierrc, script:format, script:test, script:typecheck
- 类型检查: file:tsconfig.json, script:typecheck
- 校验库: node:zod
安全与治理
- 治理: file:.github/CODEOWNERS, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
技术栈与依赖
- Node: name=
nanoclawtype=modulelockfile=package-lock.json- deps:
@types/better-sqlite3,@types/node,@vitest/coverage-v8,better-sqlite3,cron-parser,husky,pino,pino-pretty,prettier,tsx,typescript,vitest,yaml,zod
- deps:
评分依据(信号 → 证据)
代码质量
- +1.5 CI: 5 workflow(s) (3–5)
- +3 tests: 30 signal(s), density 22% (≥20%)
- +2 lint/format: 4 signal(s) — file:.prettierrc, script:format, script:test, script:typecheck
- +1.5 typecheck: file:tsconfig.json, script:typecheck
- -1.5 high-density risky code patterns (78 hits)
可维护性
- +1 README present
- +1 docs dirs: docs/
- +1 CHANGELOG present
- +2 strong governance (3 signals): file:.github/CODEOWNERS, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
- +1 lockfile: package-lock.json
- +1 CI present
健壮性
- +2.5 good test coverage (density 22%)
- +1 config signals: dir:docs/, file:.env.example
- +1 validation libs: node:zod
- +1 CI present
- -1.5 high-density risky code patterns (78 hits)
可持续性
- +1 license present
- +1 version: 1.2.6
- +1 CHANGELOG present
- +0.5 tags: 2 tag(s)
- +2 very recent commit (≤7d)
可迁移性
- -1 platform components: launchd/
安全与风险信号(静态扫描)
疑似凭据(已编辑)
Slack Tokenat.claude/skills/add-slack/SLACK_SETUP.md:75value=***已编辑***Slack Tokenat.claude/skills/add-slack/SKILL.md:79value=***已编辑***Slack Tokenat.claude/skills/add-slack/add/src/channels/slack.test.ts:80value=***已编辑***Slack Tokenat.claude/skills/add-slack/add/src/channels/slack.test.ts:797value=***已编辑***
高风险模式(需人工复核)
child_process.exec (code)atskills-engine/apply.ts:1child_process.exec (code)atskills-engine/apply.ts:278child_process.exec (code)atskills-engine/apply.ts:328child_process.exec (code)atskills-engine/init.ts:1child_process.exec (code)atskills-engine/init.ts:69child_process.exec (code)atskills-engine/structured.ts:1child_process.exec (code)atskills-engine/structured.ts:197child_process.exec (code)atskills-engine/uninstall.ts:1child_process.exec (code)atskills-engine/uninstall.ts:166child_process.exec (code)atskills-engine/customize.ts:1- …及其余 68 条 code 类
- 文档中的风险模式:2 条(
curl|bash等安装指引,通常为预期行为)
改进建议
- 在 CI 增加安全扫描(依赖审计/secret 扫描/静态分析等)并设为质量闸门。
- 审计高风险执行路径(
eval/exec/shell=True/curl|bash等):最小权限、输入验证、隔离执行。 - 若目标是跨平台:梳理平台绑定点,明确支持矩阵并提供替代实现或降级策略。