← 返回 Skills 市场

361SCAN security check your skill python scripts

Name: 361SCAN security check your skill python scripts
Author: goog

作者 Jay · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install 361

功能描述

Scan and analyze installed skills. Use when user wants to (1) scan a specific skill directory to view its name, description, and details, or (2) scan all ins...

使用说明 (SKILL.md)

361scan - Skill Scanner

Scan and analyze installed skills in the OpenClaw workspace's skills directory.

Setup

pip install skill-361

Usage

Scan a specific skill

361 scan \x3Cskill-path>

Example: 361 scan ~/.openclaw/skills/my-skill

Scan all installed skills

361 scan-all \x3Cskills-directory>

Example: 361 scan-all ~/.openclaw/skills

How It Works

Validate the target path - Check if the directory exists
Find all SKILL.md files - Recursively search for SKILL.md in subdirectories
Parse skill metadata - Extract name and description from YAML frontmatter
Display results - Show skill name, path, and description in a readable format

Output Format

For each skill found:

Name: Extracted from frontmatter name field
Path: Relative or absolute path to the skill
Description: Extracted from frontmatter description field

Examples

Scan specific skill:

361 scan ~/.openclaw/workspace/skills/clawbackup

Output:

Skill:  clawbackup
  Status: 🟢 SAFE
  Score:  87/100
  Issues: 4
  Breakdown: ☠️ 0  🚨 0  ⚠️ 1  ℹ️ 1

Scan all skills:

361 scan-all ~/.openclaw/workspace/skills

Implementation Notes

Skills are directories containing a SKILL.md file
YAML frontmatter must have name and description fields
Recursive search allows scanning nested skill directories
Handle missing or malformed SKILL.md files gracefully

安全使用建议

This skill's behavior (reading SKILL.md files and extracting YAML frontmatter) is coherent with its description, but the SKILL.md tells you to run `pip install skill-361` even though the package is not declared in the registry metadata. Before installing or running it: (1) verify the pip package's source and maintainer on PyPI (or inspect the package contents) — don't install unknown packages into your main environment, (2) run the package in an isolated environment (virtualenv, container) if you must install it, (3) avoid scanning sensitive directories — the CLI accepts arbitrary paths and will read files it is pointed at, and (4) prefer tools with an explicit install spec or source repository you can audit. If you can, request the upstream package repository or source files for review; that would change this assessment to benign if the install is from a trusted, auditable source.

功能分析

Type: OpenClaw Skill Name: 361 Version: 1.0.0 The bundle contains metadata and documentation for a skill-scanning utility called '361scan'. The SKILL.md file describes a tool designed to list and analyze installed skills by parsing YAML frontmatter from SKILL.md files within a workspace. No malicious code, data exfiltration logic, or harmful prompt-injection instructions are present in the provided files.

能力评估

✓ Purpose & Capability

Name and description match the instructions: the skill is an instruction-only scanner that searches for SKILL.md files and extracts frontmatter. The required resources declared in the registry are minimal and consistent with this purpose.

ℹ Instruction Scope

Runtime instructions are limited to validating paths, recursively finding SKILL.md files, parsing YAML frontmatter, and displaying results — all consistent with a local skills scanner. However, the CLI usage allows scanning any filesystem path the user supplies, so misuse could expose arbitrary local files if pointed outside the skills directory. The SKILL.md does not specify safeguards, nor does it outline what metadata is collected beyond name/description.

⚠ Install Mechanism

There is no formal install spec in the registry, but the SKILL.md tells users to run `pip install skill-361`. That requires downloading and executing code from PyPI (or another pip index) outside of the registry's control. Because the package name is not declared in metadata and the source/maintainer is unknown, this is a risk: the installer could contain arbitrary code, which is higher risk than a pure instruction-only skill.

✓ Credentials

No environment variables, credentials, or config paths are requested. The scanner only needs filesystem read access to the target directories. That access level is proportionate to the stated purpose, though the tool's ability to scan arbitrary paths should be considered when granting it filesystem access.

✓ Persistence & Privilege

The skill does not request always: true, does not declare autonomous-only behavior, and does not request persistent privileges or modify other skills. No elevated persistence or cross-skill configuration changes are indicated.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install 361
安装完成后，直接呼叫该 Skill 的名称或使用 /361 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of the 361scan skill. - Scan a specific skill directory to display its name, description, and details. - Scan all installed skills in a directory, listing each skill's name and description. - Recursively searches for SKILL.md files and extracts metadata from YAML frontmatter. - Handles missing or malformed SKILL.md files gracefully. - Output includes name, path, and description for each skill found.

元数据

Slug 361

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题