← Back to Skills Marketplace
cyzlmh

CMIC Skill Scanner (Linux ARM64)

by cyzlmh · GitHub ↗ · v0.8.0 · MIT-0
cross-platform ⚠ suspicious
151
Downloads
0
Stars
0
Active Installs
8
Versions
Install in OpenClaw
/install cmic-skill-scanner-linux-arm64
Description
使用内置 Rust 引擎审计待安装的 skill 包或归档,并可选桥接外部 scanner。
README (SKILL.md)

Skill Scan Wrapper

当你要在安装一个本地 skill、归档或 release bundle 前做一次快速安全检查时,使用这个 skill。

⚠️ Security Notice

This tool operates locally and requires user trust in the binary you run. Always verify the checksum after downloading. For maximum security, build from source (recommended).

Binary Included

Property Value
Location assets/bin/skillscan
Version v0.8.0
Platform Linux ARM64
SHA-256 ee7fd87a3ad72984fcd60ba3adae1020fe7099d24332b7cc30e66034cd745dd7

Verify locally before running:

sha256sum assets/bin/skillscan
# Compare output with the SHA-256 value above

This bundled package includes a pre-compiled binary. You can still build from source if you prefer:

git clone https://gitee.com/random_player/cmic-skill-scanner.git
cd cmic-skill-scanner && cargo build --release

前置条件

  • 默认不需要任何外部依赖
  • --upload-url--engine external 功能默认禁用,仅在用户显式配置时启用

信任模型

This is an open-source (MIT-0) package. The binary (bundled or downloaded) is a convenience only — it does not grant any additional trust.

Your options:

Approach Trust Requirement Verification
Build from source None (you control everything) Manual code review
Bundled/downloaded binary You trust the release host SHA-256 checksum

What the tool does NOT do by default:

  • Does NOT upload data anywhere
  • Does NOT connect to the network
  • Does NOT access credentials, SSH configs, or environment variables
  • Does NOT execute external tools unless you explicitly configure --engine external

工作流程

  1. 调用 skillscan:
skillscan review /path/to/target --format markdown
skillscan review /path/to/skills --output-dir /tmp/skillscan-out
  1. 阅读输出中的:输入类型、完整度、engine 执行状态、findings

网络上传功能 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --upload-url.

What gets sent (only when you configure --upload-url):

  • A structured JSON report containing detection findings
  • An instance identifier you supply via --instance-id
  • No skill source code, credentials, or system configuration is ever transmitted

外部引擎集成 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --engine external.

Delegates pattern-matching to a user-configured local tool. This runs locally — no remote calls are made.

Permissions Required

Scope Reason
Read files in target path To analyze skill source code for patterns
Write to --output-dir To save scan reports locally
Execute binary To run the scanner engine
Network (optional) Only if --upload-url is explicitly configured
Usage Guidance
This skill claims to be a local scanner and documents sensible defaults, but there are two things to check before running it: (1) the SKILL.md/INSTALL.md refer to a bundled binary (assets/bin/skillscan) and provide a SHA-256, yet the package manifest you were shown does not include that binary—do not run or trust any binary unless you can locate it and verify the checksum; (2) the optional --upload-url and --engine external flags can cause reports or engine work to run/send data externally—only enable them if you trust the endpoint and understand exactly what the report contains. Preferred safe path: clone the listed repository and build from source, manually review the code (or have someone you trust do so), and run the scanner in a sandboxed environment.
Capability Analysis
Type: OpenClaw Skill Name: cmic-skill-scanner-linux-arm64 Version: 0.8.0 The skill bundle includes a pre-compiled Linux ARM64 binary (assets/bin/skillscan) and an optional network upload feature (--upload-url) for reporting scan results. While the tool's stated purpose is security auditing and it provides SHA-256 checksums and a source link (Gitee), the combination of binary execution and potential data exfiltration via remote reporting constitutes high-risk behavior that requires caution, despite the lack of clear malicious intent.
Capability Tags
crypto
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, and INSTALL.md all describe a local Rust-based scanner; that aligns with the declared purpose. However SKILL.md and INSTALL.md refer to a bundled binary at assets/bin/skillscan, while the registry file manifest does not list that binary — an inconsistency that should be resolved before trusting a claimed prebuilt binary.
Instruction Scope
Runtime instructions are narrowly scoped to scanning local skill packages and saving local reports. They explicitly state network/upload features are disabled by default and that credentials are not accessed unless configured. Still, the docs reference optional flags (--upload-url, --engine external) that, if enabled, will transmit structured findings or run an external engine; users must explicitly opt in to those behaviors.
Install Mechanism
The package is instruction-only (no install spec), which is low-risk. But the documentation advertises a bundled precompiled binary (with a SHA-256), yet that binary file is not present in the manifest. If a binary were included or you download one later, that would be higher risk — prebuilt binaries deserve checksum verification and ideally building from source. The referenced source repo (gitee.com) is plausible but is an external network dependency.
Credentials
The skill declares no required env vars or credentials and only needs file-read access to the target being scanned and write access to an output dir — which is proportional. Caveat: optional --upload-url will transmit a JSON report (instance-id required) to an external endpoint; while authors claim no source code or credentials are sent, scan findings and metadata could still contain sensitive information. Confirm the upload endpoint and the exact payload before enabling uploads.
Persistence & Privilege
The skill does not request always:true, does not require persistent presence, and does not declare changes to other skills or system-wide settings. Autonomous invocation is allowed by default (platform normal), but that alone is not a red flag here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cmic-skill-scanner-linux-arm64
  3. After installation, invoke the skill by name or use /cmic-skill-scanner-linux-arm64
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.8.0
v0.8.0 introduces breaking changes and major documentation/usage updates. - Renamed the skill to "skillscan-wrapper" with a new purpose and description. - Completely overhauled documentation: clearer security notes, detailed trust model, Chinese localization. - Updated binary info: Version bump to 0.8.0 (Linux ARM64). - Added explanations for optional features (`--upload-url`, `--engine external`), which remain disabled by default. - Outlined explicit permissions and clarified user responsibilities for verification and security.
v0.6.4
- Updated to version 0.6.4. - Improved documentation with clearer descriptions of what the scanner checks and how it operates. - Revised detection categories for more precise explanation of what is flagged in skills. - Updated release and checksum links to match the new version. - Streamlined permissions and removed redundant metadata.
v0.6.3
- Updated to version 0.6.3. - Changed author repository URL from cyzlmh to random_player. - Added explicit permissions section noting local file read requirements. - Improved documentation with clearer verification and usage instructions. - Provided checksums and direct links for verifying the release. - Expanded feature descriptions for increased transparency.
v0.6.2
- Updated to version 0.6.2 with an improved SKILL.md description and metadata. - Added repository link and open source details; emphasized MIT-0 license. - Clarified included binary location, version, and verification instructions. - Listed key security checks for better transparency. - Updated links for releases and documentation.
v0.6.1
- Updated built-in scanner binary to version 0.6.1 in documentation. - Revised SKILL.md for improved clarity, adding version, license details (MIT-0), author metadata, tags, and usage triggers. - Enhanced English usage instructions and output details. - Added instructions for downloading for other platforms. - Minor metadata and formatting improvements for enterprise and public use.
v0.6.0
- Updated SKILL.md with improved English description and rebranded package name to "cmic-skill-scanner". - Maintained all command usage details and integration examples. - Updated embedded binary version to v0.6.0 in documentation. - No changes to workflow or interface.
v0.5.0
cmic-skill-scanner-linux-arm64 v0.5.0 - Updated documentation in SKILL.md with a new concise usage guide in Chinese and streamlined enterprise integration instructions. - Clarified internal binary version, platform, and checksum details. - INSTALL.md and build metadata updated for v0.5.0. - No change to core binary or scanning logic in this release.
v0.2.0
- Added detailed documentation describing the security audit tool, its permissions, usage, and verification steps. - Clarified that it is a defensive security tool for skill package scanning prior to installation. - Outlined supported triggers, permissions, and explicit user controls for network and file access. - Provided checksum verification instructions and source code transparency details. - Listed major detection capabilities and platform availability for Linux ARM64.
Metadata
Slug cmic-skill-scanner-linux-arm64
Version 0.8.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 8
Frequently Asked Questions

What is CMIC Skill Scanner (Linux ARM64)?

使用内置 Rust 引擎审计待安装的 skill 包或归档,并可选桥接外部 scanner。 It is an AI Agent Skill for Claude Code / OpenClaw, with 151 downloads so far.

How do I install CMIC Skill Scanner (Linux ARM64)?

Run "/install cmic-skill-scanner-linux-arm64" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is CMIC Skill Scanner (Linux ARM64) free?

Yes, CMIC Skill Scanner (Linux ARM64) is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does CMIC Skill Scanner (Linux ARM64) support?

CMIC Skill Scanner (Linux ARM64) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created CMIC Skill Scanner (Linux ARM64)?

It is built and maintained by cyzlmh (@cyzlmh); the current version is v0.8.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments