← Back to Skills Marketplace
胖叔 Skill 安全审查
by
hjshysst-dot
· GitHub ↗
· v1.0.0
· MIT-0
98
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pangshu-skill-vetter
Description
Security vetting for agent skills before installation. Scans skill code for dangerous Bash commands, sensitive file access, network exfiltration, obfuscated...
Usage Guidance
This skill appears to do what it says: a local pattern-based scanner implemented in Python. Before installing or enabling automatic pre-install hooks: 1) Review the vetter code yourself (it's included) to confirm the pattern rules meet your needs. 2) Be aware it is a heuristic scanner — it can produce false positives and false negatives and can be evaded by obfuscation or placing payloads in skipped paths (e.g., node_modules or markdown outside fenced code blocks). 3) Only enable automatic pre-install invocation (hooks) with admin oversight; restrict the hook configuration so the vetter runs in a sandboxed environment with access only to the incoming skill directory. 4) Consider complementing this tool with manual review or more robust static analysis, and do not assume a clean vetter report guarantees safety. If you want higher assurance, ask the author for test cases demonstrating detection of common evasion techniques or request addition of configurable scan scopes and reporting (no external uploads).
Capability Analysis
Type: OpenClaw Skill
Name: pangshu-skill-vetter
Version: 1.0.0
The skill is a security scanner designed to perform static analysis on other OpenClaw skills to identify potential risks before installation. The implementation in `scripts/vetter.py` uses regex patterns to detect dangerous Bash commands, sensitive file access, and obfuscation, which aligns perfectly with the instructions in `SKILL.md`. No evidence of data exfiltration, malicious execution, or unauthorized persistence was found.
Capability Assessment
Purpose & Capability
Name/description (a pre-install vetter) match the included artifact (scripts/vetter.py) and SKILL.md. The skill requires no env vars, binaries, or external services, which is appropriate for a local static scanner. The SKILL.md's claim that the vetter can be invoked automatically via OpenClaw hooks is an integration suggestion rather than an implicit platform entitlement; the registry metadata does not force automatic inclusion.
Instruction Scope
Runtime instructions tell the agent to run the bundled Python script against a skill directory. The scanner reads files under the provided skill_path and reports pattern matches — this is expected. Minor caveats: the scanner skips non-code markdown outside fenced code blocks and skips certain directories (node_modules, .git, __pycache__, .venv), which could allow malicious payloads to hide in skipped locations or plain text. The SKILL.md suggests auto-hooking; enabling that requires administrator configuration.
Install Mechanism
No install spec is present (instruction-only with one local script). Nothing is downloaded or written to system locations by the skill itself. This is the lowest-risk install profile.
Credentials
The skill requests no environment variables, credentials, or config paths. The internal scanner looks for mentions of credentials (e.g., .env, ~/.aws) but does not itself access external secrets or require credentials — this is proportionate to its stated purpose.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system settings. It can be configured to run as a pre-install hook, but that integration is opt-in and requires administrator configuration; the skill itself does not force persistent or privileged presence.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pangshu-skill-vetter - After installation, invoke the skill by name or use
/pangshu-skill-vetter - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of skill-vetter to automatically scan agent skills for security risks before installation or update.
- Detects and blocks skills containing critical threats such as disk wipes, fork bombs, and SSH key abuse.
- Warns on suspicious behaviors like unsafe file operations, network exfiltration, or obfuscated code.
- Generates a detailed vetting report with severity-based verdicts (block, warn, or allow).
- Integrates with OpenClaw via pre-install hooks and supports manual scans via CLI.
Metadata
Frequently Asked Questions
What is 胖叔 Skill 安全审查?
Security vetting for agent skills before installation. Scans skill code for dangerous Bash commands, sensitive file access, network exfiltration, obfuscated... It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.
How do I install 胖叔 Skill 安全审查?
Run "/install pangshu-skill-vetter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 胖叔 Skill 安全审查 free?
Yes, 胖叔 Skill 安全审查 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 胖叔 Skill 安全审查 support?
胖叔 Skill 安全审查 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 胖叔 Skill 安全审查?
It is built and maintained by hjshysst-dot (@hjshysst-dot); the current version is v1.0.0.
More Skills