← Back to Skills Marketplace
113
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install scopecheck
Description
Analyze an OpenClaw SKILL.md and extract its permission scope — what env vars, CLI tools, filesystem paths, and network URLs it accesses. Compares declared r...
Usage Guidance
This skill appears coherent and low-risk: it runs a local FastAPI/uvicorn server and analyzes SKILL.md text you send it. Before installing or running it, consider: (1) start it locally or in a sandboxed environment so the server only binds to localhost/your network; (2) ensure pip installs are from PyPI and consider pinning package versions; (3) the SKILL.md metadata omits 'uvicorn' from declared bins even though the example invokes it — this is a documentation/metadata omission, not an active risk; (4) the README examples use curl and jq (not declared) — you only need those to follow the example, not for the skill internals; (5) the extractor regexes may over-match in edge cases (e.g., uppercase tokens that are not intended env vars), so review results before acting on them. If you want higher assurance, review the source files provided or run the server in an isolated environment.
Capability Analysis
Type: OpenClaw Skill
Name: scopecheck
Version: 1.0.0
The 'scopecheck' skill is a static analysis utility designed to audit OpenClaw SKILL.md files for resource usage. It extracts and compares declared vs. detected environment variables, CLI tools, filesystem paths, and URLs using standard Python libraries (FastAPI, PyYAML, Pydantic). The code in scopecheck/app.py and scopecheck/extractors.py is transparent, follows its stated purpose, and contains no indicators of malicious behavior, data exfiltration, or intentional vulnerabilities.
Capability Assessment
Purpose & Capability
The skill's name/description match its code: it parses SKILL.md and reports env vars, CLI tools, filesystem paths, and URLs. It declares python as a required binary and installs FastAPI/uvicorn via pip; however the runtime instructions invoke the uvicorn binary but 'uvicorn' is not listed in the declared bins frontmatter (the pip install will provide it). This is a minor mismatch (documentation/metadata omission) rather than a capability mismatch.
Instruction Scope
SKILL.md instructs running a local uvicorn server and shows a curl + jq example to POST SKILL.md content. The example references external CLI tools (curl, jq) that are not declared in the skill metadata; these are usage examples for the operator rather than actions the skill performs itself, but you should be aware the examples assume those tools exist. The analyzer itself only processes the provided SKILL.md text and does not read system files or env vars beyond parsing the submitted content.
Install Mechanism
Install uses pip packages (fastapi, uvicorn, pydantic, pyyaml) via the declared install provider. These are standard packages from PyPI and no arbitrary external download URLs or extract/remote archives are used in the provided install spec.
Credentials
The skill requests no environment variables and the code does not access runtime secrets. It only scans the submitted SKILL.md text for env-like tokens. No unrelated credentials are requested.
Persistence & Privilege
always:false and normal model invocation settings. The skill does not modify other skills or system-wide agent settings and does not request persistent elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install scopecheck - After installation, invoke the skill by name or use
/scopecheck - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Improved description for clarity and conciseness.
- Updated metadata format and added emoji for better integration.
- Revised installation instructions for clearer dependency management.
- Simplified usage examples and response documentation.
- Enhanced explanation of extracted fields and undeclared access detection.
v0.1.1
- Added OpenClaw metadata to SKILL.md with required binaries and install instructions.
- Updated installation and usage instructions for clarity and consistency.
- Changed server start example to use the new import path: uvicorn scopecheck.app:app.
- Improved formatting and separated installation from usage steps.
v0.1.0
Initial release of ScopeCheck, a security tool for SKILL.md permission manifest analysis.
- Extracts and summarizes environment variables, CLI tools, filesystem paths, and network URLs accessed by a skill.
- Compares detected resource access with what is declared in SKILL.md.
- Reports mismatches as undeclared access.
- Provides both a hosted API and standalone server usage options.
- Clear input and output schema are documented for easy integration.
Metadata
Frequently Asked Questions
What is Scopecheck?
Analyze an OpenClaw SKILL.md and extract its permission scope — what env vars, CLI tools, filesystem paths, and network URLs it accesses. Compares declared r... It is an AI Agent Skill for Claude Code / OpenClaw, with 113 downloads so far.
How do I install Scopecheck?
Run "/install scopecheck" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Scopecheck free?
Yes, Scopecheck is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Scopecheck support?
Scopecheck is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Scopecheck?
It is built and maintained by mirni (@mirni); the current version is v1.0.0.
More Skills