← 返回 Skills 市场
307
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install 360guard-skillvetter-upgrade-version
功能描述
360-degree comprehensive security review Skill. Use before installing any Skill from ClawHub, GitHub, or other sources. Performs full security scans includin...
使用说明 (SKILL.md)
360Guard 🛡️
360-degree comprehensive security review — Like antivirus for your Skills
1. When to Use
- Before installing any Skill from ClawHub
- Before installing any Skill from GitHub or other sources
- When evaluating code shared by other Agents
- Any time you're asked to install unknown code
- Periodic audit of installed Skills (recommended monthly)
- Before running high-risk Skills for second verification
2. Core Principles
┌─────────────────────────────────────────────────────────────┐
│ 🛑 Security Layer Priority │
├─────────────────────────────────────────────────────────────┤
│ ⛔ EXTREME → Absolutely refuse to install │
│ 🔴 HIGH → Requires human approval │
│ 🟡 MEDIUM → Full code review + limited permissions │
│ 🟢 LOW → Basic review OK │
└─────────────────────────────────────────────────────────────┘
3. Security Checklist
3.1 Base Red Flags (from Skill Vetter)
🚨 Reject immediately if you see:
────────────────────────────────────────────────────────────
• curl/wget to unknown URLs
• Sends data to external servers
• Requests credentials/tokens/API keys
• Reads ~/.ssh, ~/.aws, ~/.config without clear reason
• Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
• Uses base64 decode on anything
• Uses eval() or exec() with external input
• Modifies system files outside workspace
• Installs packages without listing them
• Network calls to IPs instead of domains
• Obfuscated code (compressed, encoded, minified)
• Requests elevated/sudo permissions
• Accesses browser cookies/sessions
• Touches credential files
────────────────────────────────────────────────────────────
3.2 Extended Red Flags (New)
3.2.1 Persistence & Auto-start
🔴 Persistence check:
• Creates cron job / systemd service
• Modifies ~/.ssh/authorized_keys
• Writes to /etc/hosts
• Adds Login Items / Startup Items
• Modifies .bashrc / .zshrc / profile
• Registers LaunchAgent (macOS)
• Installs systemd user service
3.2.2 Monitoring & Eavesdropping
🔴 Monitoring permissions check:
• Requests screen capture/recording (screencapture)
• Requests audio recording permission
• Keyloggers
• Accesses microphone/camera
• File system monitoring (fswatch/inotify)
3.2.3 Data & Privacy
🔴 Data theft check:
• Reads clipboard (pbpaste)
• Reads environment variables (especially API_, SECRET, TOKEN)
• Accesses browser history/bookmarks
• Accesses macOS Keychain
• Accesses iMessage/SMS
• Accesses contacts/calendar
• Accesses photo library
3.2.4 Network & Communication
🔴 Network anomaly check:
• Initiates reverse shell (nc -e / bash -i)
• Uses Tor proxy
• DNS queries to suspicious domains
• WebSocket long connections
• IRC connections
• Non-standard ports (>65535 or \x3C1024 unusual)
• Hardcoded IP addresses (non-local)
3.2.5 Code Execution (Advanced)
🔴 Dynamic execution check:
• Dynamic import (importlib.import_module)
• __import__() dynamic loading
• compile() dynamic compilation
• xmlrpc / jsonrpc remote calls
• pickle / yaml / marshal deserialization
• exec() / eval() any string
• subprocess shell=True
3.2.6 File System
🟡 File operation check:
• Writes to executable paths outside /tmp
• Modifies /usr/local/bin
• Writes .dmg/.pkg installers
• Creates .hidden files/directories
• File permission modification (chmod +x)
• Symbolic links (pointing external)
• Contains binary files (.so/.dylib/.exe/.bin)
3.2.7 Dependencies & Supply Chain
🟡 Supply chain check:
• Dependency version range too wide (>1.0.0 not ^1.0.0)
• Dependencies from private/unknown sources
• Dependencies on deprecated packages
• Silent additional dependency downloads
• References other unvetted Skills
• Uses git submodule (may point to malicious repo)
3.2.8 Social Engineering
🟡 Social engineering check:
• Mimics popular Skill names (e.g., "github", "weather-ai")
• README overpromises ("one-click to do everything...")
• No source code, only compiled binaries
• Author has no history
• Downloads vs stars ratio suspicious (fake reviews)
4. Risk Classification
| Risk Level | Example Checks | Action |
|---|---|---|
| 🟢 LOW | Text processing, weather, note formatting | Basic review, OK to install |
| 🟡 MEDIUM | File I/O, browser control, API calls | Full review + limited permissions |
| 🔴 HIGH | Credential access, Keychain, network requests | Human approval + sandbox test |
| ⛔ EXTREME | Persistence, root access, keylogging, reverse shell | Refuse |
5. Trust Hierarchy
| Source | Review Level | Recommendation |
|---|---|---|
| Official OpenClaw Skills | Low (still review) | Basic check |
| High-star Repo (1000+) | Medium | Standard check |
| Known Authors | Medium | Standard check |
| Unknown Sources | High | Full check |
| Requests credentials | Extreme | Refuse |
| Modifies system files | Extreme | Refuse |
6. Automated Scanning Scripts
6.1 Quick Scan (quick-scan.sh)
#!/bin/bash
# Usage: ./quick-scan.sh /path/to/skill
# Output: Quick risk assessment report
SKILL_PATH=$1
echo "🔍 360Guard Quick Scan: $SKILL_PATH"
echo "================================"
# Check dangerous functions
echo -e "\
📡 Network request check:"
grep -r "curl\|wget\|fetch\|http\.\|https\.\|socket" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" | head -5
# Check sensitive file access
echo -e "\
🔑 Sensitive path check:"
grep -r "~/.ssh\|~/.aws\|~/.config\|/etc/hosts\|authorized_keys" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py"
# Check dangerous commands
echo -e "\
⚠️ Dangerous command check:"
grep -r "eval\|exec\|shell=True\|base64 -d\|openssl" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py"
echo -e "\
✅ Quick scan complete"
6.2 Full Scan (full-scan.sh)
#!/bin/bash
# Usage: ./full-scan.sh /path/to/skill
# Output: Complete security assessment report
SKILL_PATH=$1
REPORT="$SKILL_PATH/360guard-report.txt"
echo "🛡️ 360Guard Full Scan: $SKILL_PATH" | tee "$REPORT"
echo "========================================" | tee -a "$REPORT"
# 1. File structure check
echo -e "\
📁 File structure:" | tee -a "$REPORT"
find "$SKILL_PATH" -type f | head -20 | tee -a "$REPORT"
# 2. Dangerous function scan
echo -e "\
⚠️ Dangerous function scan:" | tee -a "$REPORT"
for pattern in "eval(" "exec(" "shell=True" "base64" "subprocess" "importlib" "__import__" "pickle" "yaml.load" "xmlrpc" "socket.create_connection"; do
result=$(grep -r "$pattern" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" 2>/dev/null)
if [ -n "$result" ]; then
echo " ❌ Found: $pattern" | tee -a "$REPORT"
echo "$result" | head -3 | tee -a "$REPORT"
fi
done
# 3. Sensitive path scan
echo -e "\
🔑 Sensitive path scan:" | tee -a "$REPORT"
for pattern in "~/.ssh" "~/.aws" "~/.config" "/etc/hosts" "authorized_keys" "keychain" "credentials" ".env"; do
result=$(grep -r "$pattern" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" 2>/dev/null)
if [ -n "$result" ]; then
echo " ⚠️ Warning: $pattern" | tee -a "$REPORT"
fi
done
# 4. Network request scan
echo -e "\
🌐 Network request scan:" | tee -a "$REPORT"
grep -r "http://\|https://\|wget\|curl\|fetch" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" | grep -v "^#" | head -10 | tee -a "$REPORT"
# 5. Persistence check
echo -e "\
⏰ Persistence check:" | tee -a "$REPORT"
for pattern in "cron" "systemd" "launchd" "login item" "startup" "autostart"; do
result=$(grep -ri "$pattern" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" 2>/dev/null)
if [ -n "$result" ]; then
echo " 🔴 High risk: $pattern" | tee -a "$REPORT"
fi
done
# 6. Dependency check
echo -e "\
📦 Dependency check:" | tee -a "$REPORT"
if [ -f "$SKILL_PATH/package.json" ]; then
cat "$SKILL_PATH/package.json" | grep -E "dependencies|devDependencies" -A 20 | tee -a "$REPORT"
fi
if [ -f "$SKILL_PATH/requirements.txt" ]; then
cat "$SKILL_PATH/requirements.txt" | tee -a "$REPORT"
fi
if [ -f "$SKILL_PATH/package.yaml" ]; then
cat "$SKILL_PATH/package.yaml" | tee -a "$REPORT"
fi
# 7. Binary file check
echo -e "\
💾 Binary file check:" | tee -a "$REPORT"
find "$SKILL_PATH" -type f \( -name "*.so" -o -name "*.dylib" -o -name "*.exe" -o -name "*.bin" -o -name "*.dll" \) 2>/dev/null | tee -a "$REPORT"
echo -e "\
========================================" | tee -a "$REPORT"
echo "✅ Full scan complete, report saved to: $REPORT"
6.3 Node.js Scanner (scanner.js)
#!/usr/bin/env node
/**
* 360Guard Node.js Scanner
* Usage: node scanner.js /path/to/skill
*/
const fs = require('fs');
const path = require('path');
const { execSync } = require('child_process');
const DANGER_PATTERNS = {
CRITICAL: [
{ pattern: /eval\s*\(/, name: 'eval() execution' },
{ pattern: /exec\s*\(/, name: 'exec() execution' },
{ pattern: /shell\s*=\s*true/i, name: 'subprocess shell=True' },
{ pattern: /base64.*decode/i, name: 'base64 decode' },
{ pattern: /pickle\.load/i, name: 'pickle deserialization' },
{ pattern: /yaml\.load/i, name: 'yaml deserialization' },
{ pattern: /__import__\s*\(/, name: 'dynamic import' },
{ pattern: /importlib\.import_module/i, name: 'dynamic module load' },
{ pattern: /xmlrpc/i, name: 'XML-RPC remote call' },
{ pattern: /reverse.*shell|nc\s+-e|bash\s+-i/i, name: 'reverse shell' }
],
HIGH: [
{ pattern: /curl\s+/, name: 'curl request' },
{ pattern: /wget\s+/, name: 'wget download' },
{ pattern: /fetch\s*\(/, name: 'fetch request' },
{ pattern: /https?:\/\/\d{1,3}\.\d{1,3}/, name: 'direct IP connection' },
{ pattern: /process\.env/i, name: 'environment variable access' },
{ pattern: /child_process/, name: 'subprocess execution' }
],
MEDIUM: [
{ pattern: /\/\.ssh\//, name: 'SSH directory access' },
{ pattern: /\/\.aws\//, name: 'AWS directory access' },
{ pattern: /keychain/i, name: 'Keychain access' },
{ pattern: /credentials|token|secret/i, name: 'credential related' },
{ pattern: /cron|systemd|launchd/i, name: 'persistence mechanism' }
]
};
function scanFile(filePath) {
const results = { CRITICAL: [], HIGH: [], MEDIUM: [] };
try {
const content = fs.readFileSync(filePath, 'utf8');
for (const [level, patterns] of Object.entries(DANGER_PATTERNS)) {
for (const { pattern, name } of patterns) {
if (pattern.test(content)) {
results[level].push({ file: filePath, issue: name });
}
}
}
} catch (e) {
// Skip unreadable files
}
return results;
}
function scanDirectory(dirPath) {
const allResults = { CRITICAL: [], HIGH: [], MEDIUM: [] };
function walk(dir) {
const files = fs.readdirSync(dir);
for (const file of files) {
const fullPath = path.join(dir, file);
const stat = fs.statSync(fullPath);
if (stat.isDirectory() && !file.startsWith('.')) {
walk(fullPath);
} else if (stat.isFile()) {
const ext = path.extname(file);
if (['.js', '.ts', '.py', '.sh', '.bash'].includes(ext)) {
const results = scanFile(fullPath);
for (const level of Object.keys(allResults)) {
allResults[level].push(...results[level]);
}
}
}
}
}
walk(dirPath);
return allResults;
}
function generateReport(skillPath, results) {
console.log('\
🛡️ 360Guard Security Scan Report');
console.log('='.repeat(50));
console.log(`📂 Scan path: ${skillPath}`);
console.log('');
const riskOrder = ['CRITICAL', 'HIGH', 'MEDIUM'];
const emoji = { CRITICAL: '🔴', HIGH: '⚠️', MEDIUM: '🟡' };
for (const level of riskOrder) {
if (results[level].length > 0) {
console.log(`\
${emoji[level]} ${level} risk (${results[level].length} items):`);
for (const item of results[level]) {
console.log(` • ${item.issue}`);
console.log(` File: ${item.file}`);
}
}
}
console.log('\
' + '='.repeat(50));
if (results.CRITICAL.length > 0) {
console.log('🔴 Conclusion: Critical risks found, NOT recommended to install');
process.exit(1);
} else if (results.HIGH.length > 0) {
console.log('⚠️ Conclusion: High risk found, human approval required');
process.exit(2);
} else if (results.MEDIUM.length > 0) {
console.log('🟡 Conclusion: Medium risk found, please review carefully');
process.exit(0);
} else {
console.log('✅ Conclusion: No obvious risks found');
process.exit(0);
}
}
// Main
const skillPath = process.argv[2] || '.';
if (!fs.existsSync(skillPath)) {
console.error('❌ Path does not exist:', skillPath);
process.exit(1);
}
const stat = fs.statSync(skillPath);
const results = stat.isDirectory() ? scanDirectory(skillPath) : scanFile(skillPath);
generateReport(skillPath, results);
7. Output Format
After vetting, produce this format:
╔══════════════════════════════════════════════════════════╗
║ 🛡️ 360Guard Security Review Report ║
╠══════════════════════════════════════════════════════════╣
║ Skill Name: [name] ║
║ Source: [ClawHub / GitHub / other] ║
║ Author: [username] ║
║ Version: [version] ║
╠══════════════════════════════════════════════════════════╣
║ 📊 Scan Statistics ║
║ • File count: [count] ║
║ • Lines of code: [count] ║
║ • Dependencies: [count] ║
╠══════════════════════════════════════════════════════════╣
║ 🚨 Issues Found ║
║ 🔴 Critical: [count] ║
║ ⚠️ High: [count] ║
║ 🟡 Medium: [count] ║
╠══════════════════════════════════════════════════════════╣
║ 📋 Detailed Issue List ║
║ [List each issue with file location, type, risk level] ║
╠══════════════════════════════════════════════════════════╣
║ 💾 Permissions Required ║
║ • File read: [list or "None"] ║
║ • File write: [list or "None"] ║
║ • Network: [list or "None"] ║
║ • Commands: [list or "None"] ║
╠══════════════════════════════════════════════════════════╣
║ 🎯 Risk Level: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME] ║
╠══════════════════════════════════════════════════════════╣
║ ⚖️ Final Verdict ║
║ [✅ Safe to install / ⚠️ Install with caution / ❌ Do not install] ║
╠══════════════════════════════════════════════════════════╣
║ 📝 Notes ║
║ [Any other observations and recommendations] ║
╚══════════════════════════════════════════════════════════╝
8. Quick Commands
Vet ClawHub Skill
# Method 1: Download and scan
wget -O skill.zip "https://clawhub.ai/api/download/SKILL_NAME"
unzip skill.zip
node ~/.npm-global/lib/node_modules/openclaw/skills/360guard/scripts/scanner.cjs ./SKILL_NAME
rm -rf skill.zip SKILL_NAME
# Method 2: GitHub repo scan
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, updated: .updated_at}'
git clone https://github.com/OWNER/REPO
node ~/.npm-global/lib/node_modules/openclaw/skills/360guard/scripts/scanner.cjs ./REPO
Quick Vet Commands
# Check repo stats
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars, forks, updated, language}'
# List all files
curl -s "https://api.github.com/repos/OWNER/REPO/contents/" | jq '.[].name'
# Get SKILL.md
curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/SKILL.md"
9. Remember
- ❌ No Skill is worth compromising security
- ❓ When in doubt, don't install
- 🧑🦰 High-risk decisions: ask your human
- 📝 Document your vetting for future reference
- 🔄 Periodically re-vet installed Skills
🛡️ 360Guard — 360-degree security for your Agent
安全使用建议
This skill is a scanner and generally does what it says, but I found two things to worry about: (1) the Node scanner excludes a 'scripts' directory from scanning, which could hide malicious scripts from its own checks — that contradicts 'comprehensive' scanning and should be fixed or at least documented; (2) SKILL.md contains unicode control characters (prompt-injection signal) — inspect and remove them or ask the publisher why they're present. Before running 360Guard on untrusted Skills, do these steps: run it on a copy of the target in an isolated environment (container or VM), manually inspect the target's scripts/ and any files the scanner would skip, examine scripts/scanner.cjs and the bash scripts to ensure they are benign, and avoid scanning targets that contain sensitive credentials unless done in a fully controlled sandbox. If the author or source is known and you can confirm the control chars are benign and the 'scripts' exclusion is intended and documented, this assessment would move toward benign.
功能分析
Type: OpenClaw Skill
Name: 360guard-skillvetter-upgrade-version
Version: 1.0.0
The 360Guard skill is a security auditing tool designed to perform static analysis on other OpenClaw skills. It provides a comprehensive checklist in SKILL.md and automated scanning scripts (full-scan.sh, quick-scan.sh, and scanner.cjs) that search for dangerous patterns such as shell injection, persistence mechanisms, and sensitive path access. The code logic is consistent with its stated purpose of security vetting, and there is no evidence of data exfiltration, obfuscation, or malicious intent.
能力评估
Purpose & Capability
The skill's name, description, and included scripts (Node scanner + quick/full bash scans) are consistent with a 'skill vetter' — it performs static pattern checks and produces reports. However, the Node scanner intentionally excludes a 'scripts' directory (EXCLUDE_DIRS includes 'scripts'), which is surprising for a scanner because many malicious behaviors live in script directories; this exclusion undermines the stated goal of comprehensive scanning and is disproportionate to the purpose.
Instruction Scope
SKILL.md instructs running the provided quick/full scans and the Node scanner against target Skill folders (expected). But a pre-scan detected unicode-control-chars in SKILL.md (prompt-injection pattern), which is suspicious and could indicate an attempt to influence or confuse automated evaluators or viewers. The scripts read files under the target path and write a report into the same scanned directory (360guard-report-*.txt) — writing reports is expected, but running these tools on untrusted code should be done in a sandbox. The scanner's pattern list includes process.env and credential regexes to detect sensitive access (expected), but the exclusion of 'scripts' can create blind spots.
Install Mechanism
No install spec is present (instruction-only with shipped scripts). That is lower risk than arbitrary remote downloads. The skill ships local scripts rather than pulling code at install time, so nothing is downloaded from unknown URLs during installation.
Credentials
The skill declares no required environment variables or credentials, and its scanners only look for sensitive patterns in target code rather than requesting secrets. There is no disproportionate credential request. (Be aware the scanner flags process.env usages when scanning other code — that's normal for a vetter.)
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills' configs. It will create report files in the scanned directory, which is reasonable for a scanner, but you should run it in a sandbox when scanning untrusted packages.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install 360guard-skillvetter-upgrade-version - 安装完成后,直接呼叫该 Skill 的名称或使用
/360guard-skillvetter-upgrade-version触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
360Guard v1.0.0 — Initial release of the comprehensive Skill security scanning tool.
- Introduces "360Guard", a 360-degree Skill security review and risk classification system.
- Adds detailed red flag checklists for static analysis, persistence, monitoring, privacy, network, execution, file system, supply chain, and social engineering.
- Provides automatic risk-level classification and trust hierarchy guidance.
- Includes two automated scripts: `quick-scan.sh` for fast checks and `full-scan.sh` for deep analysis and reporting.
- Replaces prior knowledge management scripts with a security-focused scanner.
元数据
常见问题
360Guard 是什么?
360-degree comprehensive security review Skill. Use before installing any Skill from ClawHub, GitHub, or other sources. Performs full security scans includin... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 307 次。
如何安装 360Guard?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install 360guard-skillvetter-upgrade-version」即可一键安装,无需额外配置。
360Guard 是免费的吗?
是的,360Guard 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
360Guard 支持哪些平台?
360Guard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 360Guard?
由 robinc913(@robinc913)开发并维护,当前版本 v1.0.0。
推荐 Skills