← Back to Skills Marketplace

Skill Security Vet

Name: Skill Security Vet
Author: lanew197894fun-cmd

by lanew197894fun-cmd · GitHub ↗ · v2.0.0 · MIT-0

cross-platform ⚠ suspicious

278

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skill-security-vet

Description

技能安全審核 - 整合本地掃描 + VirusTotal 雲端威脅情報

Usage Guidance

This skill can scan installed skills and query VirusTotal, which matches its description — but it also contains a full-disk scanning mode and can automatically quarantine or delete files. Before installing or running it: 1) Inspect the code yourself or run it in a sandbox or VM first. 2) Disable automatic actions (autoQuarantine/autoRemove/autoScanOnStartup) in the config before running scans. 3) Do not provide your VirusTotal API key until you confirm where it is stored (the code writes plain JSON to ~/.opencode/config). 4) Backup ~/.opencode/skill (and important data) so you can recover if the tool quarantines or removes files. 5) If you only want skill-level checks, run the tool with explicit arguments (e.g., scan for specific skills) and avoid 'local' or 'full' modes. If you are not comfortable reviewing the code or running it in an isolated environment, treat this skill as high-risk.

Capability Analysis

Type: OpenClaw Skill Name: skill-security-vet Version: 2.0.0 The skill-security-vet bundle is a security auditing tool that performs local and cloud-based (VirusTotal) threat detection. While its stated purpose is defensive, it contains high-risk capabilities including broad filesystem scanning of system drives ('/' or 'C:\') in vet.ts, and the ability to automatically 'quarantine' (move) or delete files and directories in both vet.ts and startup-scan.ts. The inclusion of a startup script that automatically scans and potentially disables other skills, combined with the invasive nature of the full system scan, makes this bundle suspicious despite its documented utility. It communicates with virustotal.com for file reputation checks.

Capability Assessment

ℹ Purpose & Capability

Name and description claim a skills security vet that integrates local scanning and VirusTotal — the code implements that for ~/.opencode/skill and VirusTotal lookups, which is coherent. However the vet.ts also implements a full local-disk scanner (scanLocalComputer) with support for scanning system drives and suspicious binary extensions; that broad disk scanning and file-level handling is not clearly advertised in SKILL.md examples, creating a capability mismatch.

⚠ Instruction Scope

The SKILL.md examples only show scanning installed skills and configuring a VirusTotal API key. The code supports additional modes (local, full) that traverse filesystem roots, examine many file types, compute hashes, call VirusTotal, and can quarantine or remove files. Those instructions/behaviour (disk-wide scanning, removing/quarantining files) are not clearly surfaced in SKILL.md, which grants the skill broad discretion over local files.

✓ Install Mechanism

No external download/install steps; the skill is designed to run under bun and has no network install URL. There are no archive downloads or third-party package installs in the manifest.

⚠ Credentials

The skill requests no cloud credentials up-front and uses a user-provided VirusTotal API key configured via CLI (reasonable). However SKILL.md claims 'secure storage' of the API key while the code persists configuration as plain JSON under ~/.opencode/config (skill-vet.json / security-scan.json), which is not encrypted and may be readable by other local users. Also the skill reads HOME/USERPROFILE and will operate on system paths; this access is broader than the SKILL.md explicitly warns about.

⚠ Persistence & Privilege

The code defaults to enabling auto-scan/auto-quarantine behavior in places (loadConfig defaults autoScanOnStartup: true and autoQuarantine: true in startup-scan fallback), and includes functions that copy then rmSync files/directories (quarantine/ removal). While the skill is not marked always:true, these automatic removal/quarantine capabilities give it destructive privileges on the user's skill directory and, in full/local mode, potentially other files on disk. SKILL.md does not make these defaults explicit.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skill-security-vet
After installation, invoke the skill by name or use /skill-security-vet
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.0

v2.0 - 新增 VirusTotal 整合、啟動自動掃描

v1.0.0

Initial release

Metadata

Slug skill-security-vet

Version 2.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Skill Security Vet?

技能安全審核 - 整合本地掃描 + VirusTotal 雲端威脅情報. It is an AI Agent Skill for Claude Code / OpenClaw, with 278 downloads so far.

How do I install Skill Security Vet?

Run "/install skill-security-vet" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Security Vet free?

Yes, Skill Security Vet is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Skill Security Vet support?

Skill Security Vet is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Security Vet?

It is built and maintained by lanew197894fun-cmd (@lanew197894fun-cmd); the current version is v2.0.0.

More Skills