← Back to Skills Marketplace

安全审核标准 - 自动化版

Name: 安全审核标准 - 自动化版
Author: tlcyqj2023

by tlcyqj2023 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skill-vetter-2

Description

自动扫描 workspace/skills 目录中多种文件，识别风险关键词，生成安全审计报告并给出安装建议。

Usage Guidance

This skill appears to do what it claims: it reads files under /workspace/skills, searches for listed risky keywords, and writes a Markdown+JSON report to /workspace. Before installing or enabling it, consider: (1) it will read any secrets stored in /workspace/skills — ensure no sensitive credentials are there or rotate them after a scan; (2) substring matching is brittle: expect false positives (keywords in comments or docs) and some bypasses (obfuscated code or renamed files); (3) the filename-based whitelist can be abused by a file named to appear safe — review whitelist patterns if you rely on automatic exclusions; (4) run the scanner manually in a sandbox first (python3 scan_skills.py) to inspect the produced report and confirm it behaves as expected; (5) because it has read access to your skills directory, prefer running it in an environment with limited permissions or inspect its source (scan_skills.py) yourself — the code is short and readable. If you need, I can list exact lines where the scanner: (a) defines the keyword lists, (b) performs substring matching, and (c) writes the report so you can review them quickly.

Capability Analysis

Type: OpenClaw Skill Name: skill-vetter-2 Version: 1.0.0 The skill bundle is a security auditing tool designed to scan other skills in the `/workspace/skills/` directory for risky code patterns (e.g., `eval`, `os.system`, network calls). The implementation in `scan_skills.py` performs static string matching and generates local Markdown and JSON reports. There is no evidence of data exfiltration, unauthorized execution, or malicious intent; the behavior is entirely consistent with its stated purpose as a defensive utility.

Capability Assessment

✓ Purpose & Capability

Name/description claim to scan the workspace/skills directory and produce a risk report; the provided scan_skills.py implements exactly that (os.walk over /workspace/skills, substring keyword checks, Markdown+JSON report). There are no extra env variables, binaries, or external services required.

ℹ Instruction Scope

Instructions and script read every file under /workspace/skills for listed extensions and produce local reports in /workspace. This is consistent with purpose but means the skill will read any sensitive data stored in that directory. Detection is done by simple substring matching (kw in content) rather than robust parsing, which causes likely false positives (comments/strings) and false negatives (obfuscated patterns). The whitelist logic is filename-based (SAFE_PATTERNS) and can be bypassed by a maliciously named file; the scanner does not attempt deeper static analysis or network sink detection.

✓ Install Mechanism

No install spec and no external downloads. The skill is instruction-only with a bundled Python script that runs in-place. No packages are installed and no archives are fetched.

ℹ Credentials

The skill requests no credentials or env vars, which is proportional. However, it requires read access to /workspace/skills (and will open many files), which is necessary for its purpose but means it can see any secrets or tokens present in that directory. The SUSPICIOUS keyword list contains dangerous tokens (e.g., 'eval(', 'os.system') only as literals in the scanner — they are not executed by the scanner itself (expected).

✓ Persistence & Privilege

Flags show always:false and normal autonomous invocation is allowed (platform default). The script writes only its own report files to /workspace and does not modify other skills or agent configuration. No elevated system privileges are requested.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skill-vetter-2
After installation, invoke the skill by name or use /skill-vetter-2
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

v1.0.0: 初始版本，支持四级风险检测、白名单、修复建议

Metadata

Slug skill-vetter-2

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is 安全审核标准 - 自动化版?

自动扫描 workspace/skills 目录中多种文件，识别风险关键词，生成安全审计报告并给出安装建议。 It is an AI Agent Skill for Claude Code / OpenClaw, with 88 downloads so far.

How do I install 安全审核标准 - 自动化版?

Run "/install skill-vetter-2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 安全审核标准 - 自动化版 free?

Yes, 安全审核标准 - 自动化版 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 安全审核标准 - 自动化版 support?

安全审核标准 - 自动化版 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 安全审核标准 - 自动化版?

It is built and maintained by tlcyqj2023 (@tlcyqj2023); the current version is v1.0.0.

More Skills