← Back to Skills Marketplace

Sx Security Audit 1.0.0

Name: Sx Security Audit 1.0.0
Author: 13256659129

by 13256659129 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

134

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install sx-security-audit-1-0-0

Description

全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。

Usage Guidance

This skill appears to be what it says: a local security audit that scans files, env vars, git history, dependencies, and can send formatted reports to Feishu. Before installing or running it: - Review ~/.openclaw/openclaw.json for any plugin apiEndpoint or webhook settings the script could use to send data; if you don't want report upload, don't configure a webhook or OpenClaw Feishu plugin. - Run audits in a controlled environment (or set excludePaths in .security-audit.json) so the tool doesn't read directories you consider too sensitive (e.g., backup directories, vaults). - Expect the tool to include detected secrets in reports; if you will send reports to external endpoints, rotate any secrets accidentally disclosed. - If you plan automated runs, prefer --json --output report.json and inspect the report offline before sending it to any webhook. - Check for required system utilities (npm, lsof) and run without root unless you intentionally need privileged checks. Confidence is medium because some portions of scripts were truncated; if you want higher confidence, provide the full security_audit.py and send_report_to_feishu.py contents so I can verify there are no hidden network endpoints, no unexpected exec calls that perform exfiltration, and exactly how subprocess/network operations are invoked.

Capability Analysis

Type: OpenClaw Skill Name: sx-security-audit-1-0-0 Version: 1.0.0 The skill bundle is a comprehensive security auditing tool that performs high-risk operations, such as scanning sensitive directories (~/.ssh, ~/.aws), reading environment variables, and parsing shell history files (~/.bash_history, ~/.zshrc) for secrets. While these actions are clearly aligned with the stated purpose in SKILL.md and scripts/security_audit.py, the tool's ability to collect and transmit summaries of this sensitive data (including partial secret strings) to external Feishu webhooks via scripts/send_report_to_feishu.py constitutes a significant security risk. There is no evidence of intentional malice, but the broad access to system credentials and configuration files meets the threshold for a suspicious classification.

Capability Assessment

✓ Purpose & Capability

The name/description (全方位安全审计) matches the code and SKILL.md: the scripts implement permission checks, secret detection, dependency checks, git/history scanning, port listing, macOS checks, and report generation/sending. There are no unexpected cloud credentials or unrelated external service credentials required by default.

ℹ Instruction Scope

The runtime instructions and scripts explicitly read many local files and state (home dir, ~/.openclaw/openclaw.json, workspace, shell histories, git commits, process environment, node/npm audit output, lsof output). This is coherent for an audit tool, but the scope is broad — it will scan and potentially include sensitive secrets from configs and environment variables in generated reports.

✓ Install Mechanism

No install spec — instruction-only plus included Python scripts. No remote downloads or package installs are forced by the skill. SKILL.md notes that external tools (npm, lsof) may be required at runtime, which is appropriate for the checks performed.

ℹ Credentials

The skill does not declare or require any environment credentials, but it scans the process environment and OpenClaw configuration for sensitive keys and supports FEISHU_WEBHOOK_URL / plugin API endpoints for report delivery. Requesting no env vars is proportionate; however scan + automatic send could expose secrets if misused or if an outgoing webhook/plugin endpoint is configured.

✓ Persistence & Privilege

always:false and default autonomous invocation are used. The skill reads local config and workspace but does not request permanent platform-wide privileges or modify other skills. Some checks may require sudo (noted in SKILL.md) which is appropriate for full port scans; no evidence the skill persistently alters system or other skills.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install sx-security-audit-1-0-0
After installation, invoke the skill by name or use /sx-security-audit-1-0-0
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

SX-security-audit 1.0.0 - 初始发布 - 提供全面的安全审计能力，涵盖系统、代码、配置、依赖、网络等多层面检查 - 支持敏感文件权限、世界可写文件、密钥和高熵字符串检测、不安全函数、依赖漏洞、环境变量、Git 配置、端口扫描、Shell 历史/配置、macOS 专项安全等模块 - 支持 CLI 参数灵活选择审计范围，支持 JSON/Markdown 输出与静默模式 - 提供配置文件自定义排除路径、风险等级等行为 - 一键集成飞书安全报告发送功能，支持富文本与卡片消息 - 报告结构清晰，按风险优先给出修复建议

Metadata

Slug sx-security-audit-1-0-0

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Sx Security Audit 1.0.0?

全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 134 downloads so far.

How do I install Sx Security Audit 1.0.0?

Run "/install sx-security-audit-1-0-0" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Sx Security Audit 1.0.0 free?

Yes, Sx Security Audit 1.0.0 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Sx Security Audit 1.0.0 support?

Sx Security Audit 1.0.0 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Sx Security Audit 1.0.0?

It is built and maintained by 13256659129 (@13256659129); the current version is v1.0.0.

More Skills