← 返回 Skills 市场
mackding

Agent Auditor

作者 Blossom · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
96
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install agent-auditor
功能描述
Audit any AI coding tool for telemetry, remote control, permissions, privacy, and hidden features. Generates a graded report (A-F).
使用说明 (SKILL.md)

Agent Auditor

You are the Claws-Shield Agent Auditor — the world's most comprehensive AI coding tool audit engine.

What You Do

When invoked, you perform a deep audit of an AI coding tool's source code, analyzing:

  1. Telemetry & Data Collection — Identify all outbound data collection endpoints, classify data types, detect opt-out mechanisms
  2. Remote Control & Killswitches — Find managed settings, accept-or-die dialogs, model override capabilities, feature flag infrastructure
  3. Undercover Mode — Detect AI attribution stripping, "write as human" instructions, commit message manipulation
  4. Permissions — Map all permission requests, identify overprivileged tools, detect escalation patterns
  5. Network Traffic — Aggregate outbound hosts, classify 1P vs 3P, identify exfiltration destinations
  6. Hidden Features — Scan for unreleased tools behind feature flags, track feature readiness
  7. Privacy Score — Compute composite A-F grade with weighted scoring across all categories

How to Use

Run the audit against a target source directory:

npx @claws-shield/cli audit \x3Cpath-to-source>

Or use the audit engine programmatically:

node scripts/run-audit.mjs \x3Cpath-to-source>

Output

The audit produces a structured report with:

  • Overall grade (A-F) and score (0-100)
  • Per-category grades and findings
  • Evidence with source locations
  • Actionable recommendations
  • Comparison baselines

Scoring

Category Weight
Telemetry 30%
Remote Control 25%
Permissions 15%
Network 15%
Undercover 15%

Grades: A (90-100), B (80-89), C (65-79), D (50-64), F (0-49)

安全使用建议
This skill is a wrapper around an external npm package that is not included in the bundle. Before installing or running it: (1) obtain and review the source of @claws-shield/auditor (or the @claws-shield/cli) — do not run npx blindly; (2) prefer a locally vendored, pinned version of the auditor so you can inspect it; (3) run the tool in an isolated sandbox or offline environment first (no network) to see what files it reads/writes; (4) check npm package metadata, publisher, versions, and integrity (tarball SHA); (5) avoid providing credentials or sensitive environment variables while testing; (6) if you cannot audit the external package, treat the skill as untrusted. These steps will reduce supply-chain and exfiltration risk.
功能分析
Type: OpenClaw Skill Name: agent-auditor Version: 1.0.0 The Agent Auditor skill functions as a wrapper for an external security auditing tool, requiring high-risk permissions including 'Bash' and 'Write'. While the instructions in 'SKILL.md' and the logic in 'scripts/run-audit.mjs' are aligned with the stated purpose of analyzing AI tools for telemetry and privacy, the use of 'npx' to fetch external code and the broad shell/file access represent risky capabilities that meet the threshold for a suspicious classification despite the lack of clear malicious intent.
能力评估
Purpose & Capability
The name, description, and SKILL.md all describe an audit tool and the included wrapper script matches that purpose. However the real audit logic is delegated to an external npm package (@claws-shield/auditor) referenced by the script and by SKILL.md (npx @claws-shield/cli), but the skill provides no install spec or package source. That omission is disproportionate: a security/audit skill should either include its implementation or clearly declare and pin the external artifact being executed.
Instruction Scope
Runtime instructions tell the agent to read and analyze a target source tree (expected). But the included script simply imports and runs runAudit from @claws-shield/auditor — meaning the skill delegates arbitrary logic to that package. The SKILL.md gives no constraints on network access, telemetry, or on what runAudit may itself read, write, or transmit, so the true runtime scope is unknown and could include network exfiltration or reading unrelated environment/config.
Install Mechanism
There is no install spec. SKILL.md suggests using npx or node to run a package that is not bundled. Relying on npx/npm at runtime pulls arbitrary code from the npm registry (moderate-to-high risk) and the skill's on-disk files are only a tiny wrapper, so you cannot audit the actual logic without fetching the external package. This is a material install/ supply-chain risk.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for a source-only audit. However because the audit logic lives in an external package, that package could attempt to read environment variables, credentials, or system config without that being declared. The lack of declared env vars therefore reduces transparency and is a risk factor.
Persistence & Privilege
The skill does not request always:true, does not declare persistent privileges, and contains no install that writes files beyond what npx/npm would normally cache. There is no explicit attempt to modify other skills or system-wide config in the provided files. Still, the external package could perform writes at runtime — that behavior is not visible from the skill bundle.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install agent-auditor
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /agent-auditor 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of Agent Auditor. - Audits AI coding tools for telemetry, remote control, permissions, privacy, and hidden features. - Generates structured, graded reports (A-F) with detailed findings and recommendations. - Supports both CLI and programmatic usage. - Includes composite grading with per-category breakdown and actionable recommendations.
元数据
Slug agent-auditor
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Agent Auditor 是什么?

Audit any AI coding tool for telemetry, remote control, permissions, privacy, and hidden features. Generates a graded report (A-F). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 96 次。

如何安装 Agent Auditor?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agent-auditor」即可一键安装,无需额外配置。

Agent Auditor 是免费的吗?

是的,Agent Auditor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Agent Auditor 支持哪些平台?

Agent Auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Agent Auditor?

由 Blossom(@mackding)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论