← Back to Skills Marketplace
214
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skills-security-scanner
Description
审计和扫描技能的安全性。在启用新技能前使用此工具验证其安全性,确保符合安全策略。
Usage Guidance
This skill will ZIP and upload entire skill directories to a scan API and requires access keys (AK/SK) supplied by scripts/config.json or environment variables—yet the registry lists no required credentials and the README implies a local service. Before installing: (1) ask the author which endpoint will receive the uploads and request that endpoint be explicit (local vs cloud) and documented; (2) do not provide real cloud credentials—use a throwaway/test account if you must trial it; (3) inspect scripts/config.json and the full script to confirm upload_url and signing behavior; (4) if you must run it, run in a sandbox or isolated environment and test with non-sensitive sample skills first; (5) consider asking the maintainer to declare required env vars in metadata and to add an explicit opt-in step that shows the upload destination before transmitting code.
Capability Analysis
Type: OpenClaw Skill
Name: skills-security-scanner
Version: 1.0.0
The skill is a security scanner that functions by zipping local directories and uploading them to a remote API (defaulting to volcengineapi.com) for analysis. While this aligns with its stated purpose in SKILL.md, the script (scripts/scan.py) lacks path sanitization or restricted scopes, creating a high-risk primitive where an agent could be directed to exfiltrate sensitive system directories (e.g., ~/.ssh or /etc) under the guise of a 'security scan.' The use of external cloud APIs for processing local code constitutes a significant data exfiltration risk if not strictly controlled.
Capability Assessment
Purpose & Capability
The description says this audits/scans skills (and the SKILL.md repeatedly mentions a local analysis service), which is plausible. However, the script imports a Volcengine SDK and builds requests to open.volcengineapi.com (and signs requests with AK/SK). The registry declares no required credentials or secrets even though the script requires access keys or a config.json with credentials to upload. Asking for cloud credentials is not aligned with the 'local' wording and the metadata.
Instruction Scope
SKILL.md instructs the agent to run scripts/scan.py with absolute paths and to ensure scripts/config.json exists (or use env vars). The script will zip and upload the entire target skill directory (or archive) to a scan endpoint. That means arbitrary skill source code and files are transmitted. SKILL.md frames this as a local service, but the code defaults to a remote cloud API—so the instructions understate where data may go.
Install Mechanism
This is an instruction-only skill with a provided Python script (no install spec). The script imports third-party packages (requests and a volcengine SDK) that are not declared; there is no install step to ensure dependencies are present. Lack of an install spec is low-install risk but means execution may fail or behave unexpectedly if required libs are missing.
Credentials
No required environment variables or primary credential are declared in the registry, yet the script expects access key/secret (AK/SK) via scripts/config.json or environment variables and uses SignerV4 to sign upload requests. Requesting cloud credentials to upload arbitrary code is high-sensitivity and is not justified or declared by the skill metadata or description.
Persistence & Privilege
The skill is not always:true and does not request persistent system-level access. It can be invoked autonomously (the platform default), which combined with the credential/upload behavior increases risk, but the skill itself does not claim elevated persistence privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skills-security-scanner - After installation, invoke the skill by name or use
/skills-security-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of skills-security-scanner:
- Provides a tool for auditing and scanning the security of other skills before enabling them.
- Scans skills by analyzing the SKILL.md file and related code via a local analysis service.
- Includes a script (`scripts/scan.py`) for scanning, requiring absolute paths.
- Outputs results as a JSON array for further processing and user-friendly reporting.
- Specifies a standardized scan report format in Chinese, highlighting high and medium security risks.
Metadata
Frequently Asked Questions
What is skills-security-scanner?
审计和扫描技能的安全性。在启用新技能前使用此工具验证其安全性,确保符合安全策略。 It is an AI Agent Skill for Claude Code / OpenClaw, with 214 downloads so far.
How do I install skills-security-scanner?
Run "/install skills-security-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is skills-security-scanner free?
Yes, skills-security-scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does skills-security-scanner support?
skills-security-scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created skills-security-scanner?
It is built and maintained by qihuang (@qihuang0); the current version is v1.0.0.
More Skills