Claw.md

Appearance

nanoclaw

本页为离线静态分析自动生成;分数为信号驱动启发式,请结合证据与人工复核使用。

项目概况

  • 名称: nanoclaw
  • 版本: 1.1.2
  • Git HEAD: 1448a14a9470
  • 最近提交: 2026-02-24T05:04:48Z
  • 许可证: LICENSE
  • 语言: TypeScript(125), Markdown(43), YAML(10), JSON(9), Shell(4)

README 摘要

An AI assistant that runs agents securely in their own containers. Lightweight, built to be easily understood and completely customized for your needs.

评分(0-10)

维度分数
代码质量7.0
可维护性5.5
健壮性4.0
可持续性4.0
可迁移性0.0
综合4.1

工程信号

CI / 测试

  • CI: 5 个 workflow
    • .github/workflows/bump-version.yml, .github/workflows/skill-tests.yml, .github/workflows/skills-only.yml, .github/workflows/test.yml, .github/workflows/update-tokens.yml
  • CI 操作系统: linux
  • 测试信号: file:setup/environment.test.ts, file:setup/platform.test.ts, file:setup/register.test.ts, file:setup/service.test.ts, file:skills-engine/__tests__/apply.test.ts, file:skills-engine/__tests__/backup.test.ts, file:skills-engine/__tests__/ci-matrix.test.ts, file:skills-engine/__tests__/constants.test.ts

代码质量工具

  • Lint / 格式化: file:.prettierrc, script:format, script:test, script:typecheck
  • 类型检查: file:tsconfig.json, script:typecheck
  • 校验库: node:zod

安全与治理

  • 治理: file:.github/CODEOWNERS, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md

技术栈与依赖

  • Node: name=nanoclaw type=module lockfile=package-lock.json
    • deps: @types/better-sqlite3, @types/node, @types/qrcode-terminal, @vitest/coverage-v8, @whiskeysockets/baileys, better-sqlite3, cron-parser, pino, pino-pretty, prettier, qrcode, qrcode-terminal, tsx, typescript, vitest, yaml

评分依据(信号 → 证据)

代码质量

  • +2 CI: 5 workflow(s)
  • +2.5 tests: 34 signal(s)
  • +2 lint/format: file:.prettierrc, script:format, script:test, script:typecheck
  • +1.5 typecheck: file:tsconfig.json, script:typecheck
  • -1 risky code patterns present (review needed)

可维护性

  • +1 README present
  • +1 docs dirs: docs/
  • +1.5 governance: file:.github/CODEOWNERS, file:.github/PULL_REQUEST_TEMPLATE.md, file:CONTRIBUTING.md
  • +1 lockfile: package-lock.json
  • +1 CI present

健壮性

  • +2 tests present
  • +1 config signals: dir:docs/, file:.env.example
  • +1 validation libs: node:zod
  • +1 CI present
  • -1 risky code patterns present (review needed)

可持续性

  • +1 license present
  • +1 version: 1.1.2
  • +2 recent commit (≤30d)

可迁移性

  • -1 platform components: launchd/

安全与风险信号(静态扫描)

高风险模式(需人工复核)

  • child_process.exec (code) at skills-engine/apply.ts:1
  • child_process.exec (code) at skills-engine/apply.ts:234
  • child_process.exec (code) at skills-engine/apply.ts:296
  • child_process.exec (code) at skills-engine/apply.ts:344
  • child_process.exec (code) at skills-engine/init.ts:1
  • child_process.exec (code) at skills-engine/init.ts:64
  • child_process.exec (code) at skills-engine/resolution-cache.ts:1
  • child_process.exec (code) at skills-engine/resolution-cache.ts:70
  • child_process.exec (code) at skills-engine/resolution-cache.ts:159
  • child_process.exec (code) at skills-engine/structured.ts:1
  • …及其余 121 条 code 类
  • 文档中的风险模式:2 条(curl|bash 等安装指引,通常为预期行为)

改进建议

  • 在 CI 增加安全扫描(依赖审计/secret 扫描/静态分析等)并设为质量闸门。
  • 审计高风险执行路径(eval/exec/shell=True/curl|bash 等):最小权限、输入验证、隔离执行。
  • 若目标是跨平台:梳理平台绑定点,明确支持矩阵并提供替代实现或降级策略。

离线静态分析 · 信号驱动启发式评分 · 不使用外部平台指标