← Back to Skills Marketplace
rongself

Agent Skills Tools

by rongself · GitHub ↗ · v0.1.0
cross-platform ✓ Security Clean
1379
Downloads
0
Stars
6
Active Installs
1
Versions
Install in OpenClaw
/install agent-skills-tools
Description
Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.
README (SKILL.md)

Agent Skills Tools 🔒

Security and validation tools for the Agent Skills ecosystem.

Overview

This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.

Tools

1. Security Audit Tool (skill-security-audit.sh)

Scans skill packages for common security issues:

Checks:

  • 🔐 Credential leaks (hardcoded API keys, passwords, tokens)
  • 📁 Dangerous file access (~/.ssh, ~/.aws, ~/.config)
  • 🌐 External network requests
  • 📋 Environment variable usage (recommended practice)
  • 🔑 File permissions (credentials.json)
  • 📜 Git history for leaked secrets

Usage:

./skill-security-audit.sh path/to/skill

Example output:

🔒 技能安全审计报告:path/to/skill
==========================================

📋 检查1: 凭据泄露 (API key, password, secret, token)
----------------------------------------
✅ 未发现凭据泄露

📋 检查2: 危险的文件操作 (~/.ssh, ~/.aws, ~/.config)
----------------------------------------
✅ 未发现危险的文件访问

[... more checks ...]

==========================================
🎯 安全审计完成

Background

eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.

These tools help catch such vulnerabilities before they cause damage.

Best Practices

  1. Never hardcode credentials

    • API_KEY="sk_live_abc123..."
    • ✅ Read from environment variables or config files

  2. Use environment variables

    export MOLTBOOK_API_KEY="sk_live_..."

    import os
api_key = os.environ.get('MOLTBOOK_API_KEY')

  3. Check Git history

    git log -S 'api_key'
git-secrets --scan-history

  4. Add sensitive files to .gitignore

    credentials.json
*.key
.env

License

MIT

Usage Guidance
This skill appears to do what it claims: a local, grep-based audit you run against a skill package. Before installing/using it: 1) review the script yourself (it's short and included); 2) run it against a copy of the package (don't point it at system root or sensitive directories unless you mean to); 3) expect heuristic results — it may miss obfuscated secrets or flag benign code; 4) the tool does not transmit data externally, but any agent invoking the tool could collect and send the report, so limit autonomous use if you don't trust the agent; 5) the publisher is unknown/no homepage — if you need stronger assurance, prefer tools from verified sources or request provenance/signing from the author. Additional information (a verifiable author, tests, or a signed release) would raise confidence.
Capability Analysis
Type: OpenClaw Skill Name: agent-skills-tools Version: 0.1.0 This skill is designed as a security audit tool for other OpenClaw skill packages. The `skill-security-audit.sh` script uses standard command-line tools (`find`, `grep`, `git log`) to analyze the contents and Git history of a target skill directory for common vulnerabilities like hardcoded credentials, dangerous file access patterns, and network requests. All operations are read-only and confined to the specified target directory. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent in SKILL.md that would deviate from its stated purpose.
Capability Assessment
Purpose & Capability
Name/description match the actual behavior: the included shell script scans a target skill directory for hardcoded keys, references to sensitive paths, network-call patterns, environment-variable usage, credentials files, and simple Git-history hints. None of the script's requirements (no env vars, no external installs) are inconsistent with an auditing tool.
Instruction Scope
SKILL.md instructs running the provided script against a target directory. The script only inspects files under the supplied path and (if present) the repository history via git -C; it does not read or exfiltrate user home files by itself. Note: checks are purely local and pattern-based (grep); they may produce false positives/negatives and rely on simple patterns like 'api_key' and strings such as 'curl' or '.ssh'.
Install Mechanism
No install spec — instruction-only with a bundled shell script. This is low-risk: nothing is downloaded or written to disk beyond the contained files.
Credentials
The skill requests no environment variables or credentials, which is appropriate for a static auditing tool. The script does not access environment variables beyond local git execution.
Persistence & Privilege
always is false; the skill does not request persistent presence or modify other skill configurations. Autonomous invocation is allowed by platform default but the skill itself has no persistence/privilege escalation behavior.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agent-skills-tools
  3. After installation, invoke the skill by name or use /agent-skills-tools
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release: skill-security-audit tool for Agent Skills ecosystem
Metadata
Slug agent-skills-tools
Version 0.1.0
License
All-time Installs 6
Active Installs 6
Total Versions 1
Frequently Asked Questions

What is Agent Skills Tools?

Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices. It is an AI Agent Skill for Claude Code / OpenClaw, with 1379 downloads so far.

How do I install Agent Skills Tools?

Run "/install agent-skills-tools" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Agent Skills Tools free?

Yes, Agent Skills Tools is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Agent Skills Tools support?

Agent Skills Tools is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Agent Skills Tools?

It is built and maintained by rongself (@rongself); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments