← Back to Skills Marketplace
my-test-skill
by
jinxiaotian1
· GitHub ↗
· v0.0.1
· MIT-0
285
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install my-test-skill
Description
Intelligent code security scanner with hybrid local-cloud detection. Fingerprints packages, runs static behavioral analysis, and consults cloud threat intell...
Usage Guidance
This skill appears to implement a legitimate hybrid local/cloud scanner, but take these precautions before installing: 1) Verify publisher identity and that the registry package name matches the SKILL.md branding (my-test-skill vs yidun-skill-sec). 2) Understand cloud mode will POST fingerprints, behavior tags, and extracted code snippets to https://as.dun.163.com (NetEase Yidun); if those metadata or snippets could be sensitive, disable cloud mode (YIDUN_SKILL_SEC_CLOUD=false) or avoid using the skill. 3) Confirm you trust the external operator and your organization’s policies about sending package data abroad. 4) If you need stronger assurance, request a signed release, a canonical source (GitHub repo/release), or an audited implementation rather than relying on SKILL.md prose alone.
Capability Analysis
Type: OpenClaw Skill
Name: my-test-skill
Version: 0.0.1
The skill is a security scanner that performs data exfiltration by design, sending file hashes, behavior tags, and code snippets ('evidence artifacts') to a remote endpoint (as.dun.163.com) for analysis. While the documentation (SKILL.md, README.md) claims to redact sensitive values, the transmission of local code context, file paths, and metadata to a third-party service constitutes a significant privacy and security risk. The behavior is aligned with the stated purpose of 'hybrid cloud detection,' but the inherent risk of sending code fragments to an external domain makes it suspicious.
Capability Assessment
Purpose & Capability
The SKILL.md and README implement exactly what the description promises: local fingerprinting and static analysis plus an optional cloud intelligence POST to as.dun.163.com. Required binaries (curl, jq, openssl) are appropriate. However, the registry metadata lists the skill as 'my-test-skill' while the SKILL.md/README identify the package as 'yidun-skill-sec' / 'YidunClawSec' (branding mismatch), which is an incoherence worth verifying with the publisher.
Instruction Scope
Instructions explicitly compute file-level hashes, extract code snippets that triggered detections, build a fingerprint manifest, and upload fingerprint/behavior tags/evidence to a remote endpoint. Uploading extracted code snippets (even if partial) to an external service is within the stated purpose (cloud analysis) but is a privacy/data-exfiltration risk that should be acknowledged. The SKILL.md also references source metadata (install_url, author data) that implies additional registry queries or metadata collection outside the package; those network actions are not declared in the registry metadata but are consistent with the scanner's needs.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or installed by the skill package itself. This minimizes install-time risk. The only runtime network activity described is to the cloud analysis endpoint, which is implemented via curl (declared).
Credentials
No required secrets or privileged env vars are listed. Two optional env vars are declared (YIDUN_SKILL_SEC_CLOUD to toggle cloud, and YIDUN_SKILL_SEC_TRUSTED_REGISTRIES) which are proportionate. Still, because the skill will send fingerprints and extracted snippets to an external endpoint, users should consider whether that data is acceptable to disclose to the named operator (NetEase Yidun) before enabling cloud mode.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges or modification of other skills. Autonomous invocation is allowed by default but that is the platform norm and not by itself a red flag here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install my-test-skill - After installation, invoke the skill by name or use
/my-test-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.1
my-test-skill v0.0.1
- Initial release of an intelligent code security scanner with hybrid local-cloud detection.
- Performs package fingerprinting, static behavioral analysis, and cloud-based threat intelligence lookups (enabled by default, configurable).
- Provides a quantified safety score and severity tags based on code behaviors and source trust.
- Defaults to strong privacy safeguards: only non-sensitive metadata is uploaded for cloud analysis.
- Supports trusted registry allowlisting and customizable environment settings.
Metadata
Frequently Asked Questions
What is my-test-skill?
Intelligent code security scanner with hybrid local-cloud detection. Fingerprints packages, runs static behavioral analysis, and consults cloud threat intell... It is an AI Agent Skill for Claude Code / OpenClaw, with 285 downloads so far.
How do I install my-test-skill?
Run "/install my-test-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is my-test-skill free?
Yes, my-test-skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does my-test-skill support?
my-test-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).
Who created my-test-skill?
It is built and maintained by jinxiaotian1 (@jinxiaotian1); the current version is v0.0.1.
More Skills