← Back to Skills Marketplace
1245
Downloads
0
Stars
9
Active Installs
1
Versions
Install in OpenClaw
/install agents-skill-security-audit
Description
Minimal helper to audit skill.md-style instructions for supply-chain risks.
README (SKILL.md)
security-audit
Minimal helper to audit skill.md-style instructions for supply-chain risks.
Features
- Heuristic scan for exfiltration patterns (HTTP POST, curl to unknown domains, reading ~/.env, credential keywords).
- Permission manifest reminder: lists filesystem/network touches it sees.
- Safe report: markdown summary + risk level.
Usage
python audit.py path/to/skill.md > report.md
Usage Guidance
This skill appears coherent and low-risk: it's a local Python script that heuristically scans a single skill.md for suspicious patterns. Before using it, quickly eyeball audit.py yourself (it's short and included), and be aware it only searches text with simple regexes (it can miss obfuscated strings, multi-file issues, or nested downloads). Don't rely solely on its output — treat it as a first-pass aid and perform manual review for anything flagged. If you plan to scan skill files containing secrets, run the tool on a sanitized copy or in a sandboxed environment.
Capability Analysis
Type: OpenClaw Skill
Name: agents-skill-security-audit
Version: 0.1.0
This skill bundle is designed to audit other OpenClaw skill bundles for supply-chain risks. The `audit.py` script scans input files for patterns indicative of data exfiltration (e.g., `http://`, `webhook`, `ngrok`), sensitive file access (e.g., `.env`, `.ssh`, `credentials`), and dangerous shell commands (e.g., `curl | bash`, `sudo`, `rm -rf`). The script itself only reads files and performs regex matching; it does not execute any external commands, make network calls, or modify files. The `SKILL.md` and `README.md` files provide clear, benign instructions for using the auditing tool. There is no evidence of malicious intent, prompt injection, or high-risk behaviors within this skill bundle itself.
Capability Assessment
Purpose & Capability
The name/description (security-audit) aligns with the included audit.py and README/SKILL.md. The only required binary is python3, which is appropriate for a Python script; there are no unrelated env vars, credentials, or surprising dependencies.
Instruction Scope
SKILL.md tells the agent/user to run `python audit.py path/to/skill.md`. audit.py reads only the supplied file and performs regex-based heuristics for exfiltration, file-access, and shell patterns, then prints a risk summary. It does not perform network calls or read other system files itself. Note: it flags mentions of sensitive paths/keywords but does not automatically inspect those other paths.
Install Mechanism
There is no install spec; the skill is instruction-only with a bundled audit.py. That is low-risk — nothing is downloaded or extracted from external URLs and the code is present in the bundle for review.
Credentials
No environment variables, credentials, or config paths are requested. The tool's scope does not require secrets or external tokens.
Persistence & Privilege
always is false, model invocation is normal, and the skill does not attempt to modify agent/system configuration or persist credentials. It runs on-demand and has no elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install agents-skill-security-audit - After installation, invoke the skill by name or use
/agents-skill-security-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of the security-audit skill.
- Provides heuristic scanning of skill.md instructions for supply-chain risks.
- Detects exfiltration patterns such as HTTP POST requests, unknown domain curl commands, ~/.env reads, and credential keywords.
- Summarizes detected filesystem and network accesses as a permission manifest reminder.
- Generates a safe report in markdown format with an assigned risk level.
- Simple command-line usage via Python.
Metadata
Frequently Asked Questions
What is Security Audit?
Minimal helper to audit skill.md-style instructions for supply-chain risks. It is an AI Agent Skill for Claude Code / OpenClaw, with 1245 downloads so far.
How do I install Security Audit?
Run "/install agents-skill-security-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Audit free?
Yes, Security Audit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Security Audit support?
Security Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Audit?
It is built and maintained by cerbug45 (@cerbug45); the current version is v0.1.0.
More Skills