← Back to Skills Marketplace
sx-security-audit
by
zhuxiaobao-y
· GitHub ↗
· v1.0.0
· MIT-0
343
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install sx-security-audit
Description
全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。
Usage Guidance
This tool is coherent for security auditing but is powerful: it will scan your home directory, workspace, shell histories, environment variables, and Git history and may include discovered secrets in its report. Before running: (1) review the scripts locally to confirm you trust them (they are included in the package); (2) run audits in a controlled environment (or container) if you are concerned about accidental data exposure; (3) do not use the send-to-Feishu options unless you trust the target webhook or the OpenClaw plugin API endpoint (inspect ~/.openclaw/openclaw.json for configured apiEndpoint); (4) expect some checks (npm audit, lsof) to require additional tools or elevated privileges—run with least privilege necessary and review generated report content before broadcasting.
Capability Analysis
Type: OpenClaw Skill
Name: sx-security-audit
Version: 1.0.0
The SX-security-audit skill bundle is a legitimate security auditing tool designed to identify system misconfigurations, hardcoded secrets, and dependency vulnerabilities. The core logic in `scripts/security_audit.py` performs various checks including file permissions (e.g., `~/.ssh`), environment variable scanning, and Git history analysis for leaked credentials using regex and Shannon entropy. While the tool accesses sensitive data, its behavior is transparent and strictly aligned with its stated purpose. The reporting script `scripts/send_report_to_feishu.py` allows users to send audit summaries to their own Feishu webhooks or plugins, and no evidence of hardcoded malicious endpoints, unauthorized exfiltration, or persistence mechanisms was found.
Capability Assessment
Purpose & Capability
The name/description (security audit) matches the included scripts and reference docs. The checks (permissions, secrets, deps, git, ports, macOS checks, etc.) are implemented in the provided Python code and the references. Access to ~/.openclaw, workspace, home, and repo files is expected for this purpose.
Instruction Scope
Runtime instructions and scripts explicitly scan many sensitive locations (home directory, ~/.ssh, ~/.aws, shell history, environment variables, Git diffs, workspace recursive scans) which is normal for an audit tool but high-sensitivity. The skill also supports sending generated reports to Feishu (webhook or OpenClaw plugin API). Users should expect audit output may contain secrets discovered during scans.
Install Mechanism
No install spec is provided (instruction-only plus included scripts), so nothing external is downloaded by the registry. The scripts call external tooling (e.g., npm audit, lsof) as documented; that is proportional to the stated checks but may require those tools to be present.
Credentials
The skill declares no required environment variables, but the send-to-Feishu flow can use a FEISHU_WEBHOOK_URL or the OpenClaw plugin configuration (from ~/.openclaw/openclaw.json). The audit will scan current environment variables for sensitive patterns (expected for a secrets audit). No unrelated third-party credentials are requested in metadata.
Persistence & Privilege
always:false and no evidence of the skill trying to persist itself or modify other skills. It reads user config (~/.openclaw/openclaw.json) to find optional Feishu plugin settings but does not appear to alter other skill configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sx-security-audit - After installation, invoke the skill by name or use
/sx-security-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of SX-security-audit – a comprehensive security auditing skill.
- Provides modular checks including file permissions, secrets, dependencies, environment variables, Git, network ports, shell, and macOS security.
- Detects known key formats and uses entropy analysis for enhanced secret detection.
- Supports CLI options for module selection, output format (JSON, Markdown), severity filtering, and silent mode.
- Allows behavior customization via `.security-audit.json` config files with path exclusions and severity thresholds.
- Generates detailed, prioritized security audit reports and supports report delivery to Feishu in multiple message formats.
- Includes guidance for both automated and manual report sending.
Metadata
Frequently Asked Questions
What is sx-security-audit?
全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 343 downloads so far.
How do I install sx-security-audit?
Run "/install sx-security-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is sx-security-audit free?
Yes, sx-security-audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does sx-security-audit support?
sx-security-audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created sx-security-audit?
It is built and maintained by zhuxiaobao-y (@zhuxiaobao-y); the current version is v1.0.0.
More Skills