← Back to Skills Marketplace
342
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-audit-modeio
Description
Runs a deterministic static safety audit for third-party AI skill or plugin repositories before install or execution. Use when asked to scan a skill repo, as...
Usage Guidance
This skill is a static auditor and appears to do what it says: read the target repository, run deterministic pattern-based scans, and optionally call GitHub OSINT. Before running: (1) Understand that the scanner will read all scanned files in the target repo (it does not execute target-repo code), so do not point it at repos that contain private secrets you don't want read. (2) If you enable GitHub OSINT or provide a GITHUB_TOKEN, the tool may make API/network calls; only provide credentials if you trust the tool and want higher rate limits. (3) The code uses git (if available) to get commit SHA—this is optional but expected. (4) If you need absolute assurance, review the run_github_osint_precheck and any network-calling functions before giving network access or a token. Overall the skill is internally consistent and proportionate for a repository safety auditor.
Capability Analysis
Type: OpenClaw Skill
Name: skill-audit-modeio
Version: 0.1.0
The skill bundle is a comprehensive static analysis tool designed to perform security audits on third-party AI skills and repositories. It implements a multi-layered scanning engine (in `modeio_skill_audit/skill_safety/`) that detects prompt injection, shell execution risks, secret exfiltration patterns, and supply chain vulnerabilities using deterministic regex-based rules. While the tool performs network requests to the GitHub API for OSINT reputation checks (`repo_intel.py`) and utilizes `subprocess` for Git metadata, these actions are strictly aligned with its documented purpose as a security scanner and do not exhibit signs of malicious intent or unauthorized data exfiltration.
Capability Assessment
Purpose & Capability
The name/description (static pre-install audit) matches the code and CLI: it walks a target repo, performs layered static scans (AST/patterns/prompt checks/secret checks/supply-chain checks), computes hashes, and optionally performs a GitHub OSINT precheck. Required resource list is minimal (python3). The README notes optional 'git' and optional 'GITHUB_TOKEN' for improved OSINT; these map to code usage (git subprocess call, GitHub API).
Instruction Scope
SKILL.md and CLI instruct the agent to scan a provided target repo and to not execute target-repo code; the implementation appears to respect that (it reads files, computes hashes, and pattern-scans). The engine will (optionally) call GitHub OSINT when the repo has a GitHub origin and will invoke git to obtain commit SHA if available. There is no instruction to read system files outside the target repo, to access unrelated environment variables, or to transmit secrets; however network calls to GitHub (OSINT) are performed when applicable.
Install Mechanism
No install spec is provided (instruction-only skill), which minimizes install-time risk. The package does include many Python source files bundled in the skill archive; executing the CLI requires running these Python files locally under python3. No downloads from untrusted URLs or archive extraction steps are present in the manifest.
Credentials
The skill declares no required environment variables and only requires python3. SKILL.md explicitly lists optional enhancements: git (optional) and GITHUB_TOKEN (optional for higher API rate limits). That is proportionate for a repo-auditor that performs a GitHub precheck. The code does invoke subprocess to call git (git_commit_sha) and may make HTTP requests during OSINT; those are expected. There are no unexplained SECRET/TOKEN/PASSWORD requirements.
Persistence & Privilege
The skill is not always:true, is user-invocable, and does not request permanent presence or elevated system-wide privileges. It does not attempt to modify other skills or system configs as part of its normal flow.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-audit-modeio - After installation, invoke the skill by name or use
/skill-audit-modeio - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of skill-audit-modeio.
- Runs static, deterministic safety audits for third-party AI skill and plugin repositories before install or execution.
- Provides commands for audit evaluation, prompt generation, evidence validation, and merge adjudication without executing code.
- Excludes maintainer-only benchmarks and validation assets from public uploads.
- Requires Python 3; optionally supports git and GitHub tokens for enhanced metadata and rate-limiting.
- Designed to help users assess repository safety with evidence-backed, reproducible findings.
Metadata
Frequently Asked Questions
What is Skill Audit?
Runs a deterministic static safety audit for third-party AI skill or plugin repositories before install or execution. Use when asked to scan a skill repo, as... It is an AI Agent Skill for Claude Code / OpenClaw, with 342 downloads so far.
How do I install Skill Audit?
Run "/install skill-audit-modeio" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Audit free?
Yes, Skill Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Audit support?
Skill Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Audit?
It is built and maintained by modeioai (@modeioai); the current version is v0.1.0.
More Skills