Testing unscopedPackageName() extraction:
============================================================

Input: @scope/normal-package
  Extracted: "normal-package"
  Install path: /home/user/.openclaw/extensions/normal-package
  Resolved: /home/user/.openclaw/extensions/normal-package
  ✓ Safe: Path stays within extensions directory

Input: @malicious/..
  Extracted: ".."
  Install path: /home/user/.openclaw
  Resolved: /home/user/.openclaw
  ❌ VULNERABLE: Path escapes extensions directory!

Input: @evil/../etc
  Extracted: "../etc"
  Install path: /home/user/.openclaw/etc
  Resolved: /home/user/.openclaw/etc
  ❌ VULNERABLE: Path escapes extensions directory!

Input: @bad/..
  Extracted: ".."
  Install path: /home/user/.openclaw
  Resolved: /home/user/.openclaw
  ❌ VULNERABLE: Path escapes extensions directory!

============================================================

Found 3 vulnerable patterns

VULNERABILITY CONFIRMED:
The unscopedPackageName() function fails to validate extracted names.
When given '@malicious/..', it returns '..' which traverses to parent dir.