功能描述

Enterprise AI Agent Security Scanner - 846 rules, three-layer detection architecture, risk tier classification. Detects prompt injection, credential theft, d...

使用说明 (SKILL.md)

AI Agent Security Scanner v6.2.0

Name: Clawhub Publish V621
Author: caidongyun

企业级 AI Agent 安全扫描工具，检测恶意代码、供应链攻击、凭据窃取和攻击链。

🎯 核心指标

指标	v6.2.0
规则数	846
检测架构	三层 (PatternEngine → HybridRuleEngine → LLMEngine)
扫描速度	~385 文件/秒
风险分级	5 级 (CRITICAL/HIGH/MEDIUM/LOW/INFO)

🔥 v6.2.0 新特性

风险分级体系

Curl 风险分级: 白名单域名 + 敏感参数检测
凭据窃取检测: 攻击链识别 (诱导→混淆→外传)
5 级风险体系: CRITICAL/HIGH/MEDIUM/LOW/INFO

单 Skill 熔断机制

默认阈值: 500 文件/目录
防止恶意软件塞入大量文件拖慢扫描

规则库优化

去重 88 条规则 (928 → 846)
新增 6 条凭据攻击链规则 (CRED-CHAIN-001~006)
419 条 severity 统一为大写

💻 使用

命令行

# 扫描目录
python3 scanner.py /path/to/skills/

# 并发扫描 (8 worker)
python3 scanner.py /path/to/skills/ --workers 8

# 输出 JSON 报告
python3 scanner.py /path/to/skills/ --output json --output-file report.json

# 单 Skill 熔断阈值
python3 scanner.py /path/to/skills/ --skill-max-files 500

npm

npm install -g @caidongyun/security-scanner
agent-scanner /path/to/skills/

📦 安装

# pip
pip install -r requirements.txt

# npm
npm install -g @caidongyun/security-scanner

📁 文件结构

├── scanner.py                  # 主扫描器
├── whitelist_filter.py         # 白名单过滤
├── config_detector.py          # 配置文件检测
├── context_aware_filter.py     # 上下文感知过滤
├── credential_theft_classifier.py  # 凭据窃取攻击链检测
├── curl_risk_classifier.py     # Curl 风险分级
├── risk_tier_classifier.py     # 5 级风险体系
├── security_tool_detector.py   # 安全工具识别
├── scan                        # CLI 入口
├── src/engines/                # 8 个检测引擎
├── rules/dist/all_rules.json   # 846 条规则
├── package.json                # npm 配置
├── README.md                   # 使用文档
└── RELEASE_NOTES.md            # 发布说明

🔗 链接

Gitee: https://gitee.com/caidongyun/agent-security-skill-scanner
GitHub: https://github.com/caidongyun/agent-security-skill-scanner
NPM: @caidongyun/[email protected]

v6.2.0 | 846 Rules | Three-Layer Detection | Risk Tier Classification | Attack Chain Detection

安全使用建议

This skill appears to be a legitimate AI-agent security scanner, but exercise caution before installing or running it against sensitive directories. Actions to consider: - Do not provide an LLM API key (LLM_API_KEY) unless you've reviewed the LLMEngine implementation (src/engines/llm_engine.py) and are comfortable with how it constructs prompts and handles outputs. - Inspect the truncated/omitted engine code (especially LLM engine and any code that sends data out) and the full rules file (rules/dist/all_rules.json) for hidden URLs or prompt templates that might instruct an LLM. - Because the scanner reads files (including configs) and can identify secrets, run it in an isolated environment (VM/container) and avoid scanning directories that contain live credentials or private keys. - Verify the package/source (GitHub/Gitee links) match a trusted upstream and prefer cloning/inspecting the repo before running any install scripts or 'npm install -g'. - If you plan to use the LLM review feature, run some controlled tests with benign and known malicious sample files to see how the LLM responds and whether prompt-injection patterns in scanned files can alter behavior. If you want, I can: (a) list the omitted engine files for closer review, (b) search the repository for external network endpoints, or (c) review src/engines/llm_engine.py for exact prompt-building behavior — providing that would raise confidence in a safe/benign classification.

功能分析

Type: OpenClaw Skill Name: agent-security-skill-scanner Version: 6.2.0 The agent-security-skill-scanner bundle is a legitimate security tool designed to scan AI agent skill directories for malicious code and vulnerabilities. It employs a sophisticated three-layer detection architecture (Pattern, Rule, and LLM engines) and includes specialized modules for detecting credential theft chains (credential_theft_classifier.py), risky curl usage (curl_risk_classifier.py), and complex attack patterns (composite_detector.py). The scanner includes features to reduce false positives, such as a whitelist filter and a context-aware risk adjustment module (security_tool_detector.py). While it possesses high-privilege capabilities like broad file access and optional data transmission to LLM APIs (e.g., MiniMax), these are well-documented and consistent with its stated purpose as an enterprise-grade security scanner. No evidence of intentional malicious behavior or backdoors was found.

能力标签

cryptorequires-walletrequires-sensitive-credentials

能力评估

✓ Purpose & Capability

The name, description, and included Python/JS files (scanner.py, classifiers, rule engines, package.json) match an agent security-scanner. There are no unrelated required env vars or binaries declared. File list and README/usage instructions align with the stated purpose.

⚠ Instruction Scope

SKILL.md instructs running scanner.py / agent-scanner to scan skill directories (expected), but a prompt-injection pattern ('ignore-previous-instructions') was detected in SKILL.md. The scanner optionally invokes an LLM (LLMEngine) to re-check CRITICAL findings and extracts YAML 'payload' fields for separate analysis — meaning untrusted content can be passed to an LLM. That combination (embedded injection-like strings + LLM review of file payloads) creates a plausible attack vector to influence LLM-based decisions or outputs.

ℹ Install Mechanism

Registry has no formal install spec; the package includes package.json and recommends pip install -r requirements.txt and npm install -g @caidongyun/security-scanner. Declared Python deps are common (pyahocorasick, tqdm). No high-risk downloads or obfuscated installers were found in the provided files, but the repository links in docs point to external Git repositories — verify upstream sources before installing globally.

ℹ Credentials

The skill declares no required env vars, but scanner.py will optionally read an LLM API key from env (LLM_API_KEY) if the LLM layer is enabled. The scanner intentionally reads local files (including config files and potential secret locations) as part of its function; this is proportional to a security scanner but means it will touch potentially sensitive data. Do not run it against directories containing secrets unless you trust the code and isolate it.

✓ Persistence & Privilege

Flags are default: always:false and user-invocable:true. The skill does not request permanent/always-on presence and does not appear to modify other skills or system-wide agent settings in the provided files.

版本历史

v6.2.2

gzip压缩规则文件(332KB→31KB) + 运行时自动解压 + 风险分级 + 单Skill熔断 + 846规则

v6.2.1

风险分级 + 单Skill熔断 + 846规则 + gzip压缩规则(332KB→31KB) + 修正检测架构

v6.2.0

风险分级 + 单Skill熔断 + 846规则 + 攻击链检测

v6.1.7

- Added full source code files for the agent-security-skill-scanner, including scanner core, engines, filters, and configuration detectors. - Included all detection rules and supporting JSON files for Bash, PowerShell, Python, and JavaScript. - Provided full documentation: SKILL.md, README.md, and release notes. - Added npm and Python packaging files to enable multi-platform usage. - All key components are now included for standalone operation and integration.

v6.1.6

- Updated the skill manifest: changed `name` to `title` and incremented the version to 6.1.6. - No functional or code changes; documentation and metadata update only.

v6.1.5

- Changed skill version from 6.1.3 to 6.1.4 in the metadata. - Added "displayName: Agent Security Scanner" field for improved human readability. - No functional or usage changes; documentation structure and content remain the same.

v6.1.4

- Removed rules/all_rules.json from the repository. - No changes to functionality or detection capabilities. - All other files and documentation remain unchanged.

v6.1.3

- Major overhaul with significant file restructuring: 4 files added, 3 changed, 22 removed. - Introduced new core modules: `scanner.py`, `config_detector.py`, `whitelist_filter.py`, and comprehensive rule set in `rules/all_rules.json`. - Three-layer detection architecture: Pattern engine, rule engine, and optional LLM engine for deeper analysis and false positive reduction. - Improved detection coverage: 616 rules, 100% detection rate, and 0% false positive rate across 7 programming languages. - CLI and npm usage streamlined; usage examples and benchmarks included. - Documentation and legacy files removed or replaced to match new architecture and capabilities.

v4.1.5

v4.1.5: 修复显示名称

v4.1.4

v4.1.4: 从 GitHub 发布，修复显示名称

v4.1.3

v4.1.3: 添加 title 字段，修复 ClawHub 显示名称

v4.1.2

v4.1.2: 修复名称显示问题，统一为 Agent Security Skill Scanner

v4.1.1

v4.1.1: 清理旧版 release/v2.0.x，保持干净发布结构

v4.1.0

v4.1.0: 企业级 AI Agent 安全扫描器，多语言扫描，检测率 100%

v2.2.1

- Added extensive new detection rules and whitelist data files. - Introduced report generation scripts and automated release checking utilities. - Updated core documentation (README.md, SKILL.md, RELEASE.md) for new features and workflows. - Removed outdated or redundant guides and older incident documentation. - Improved data organization for detection rules and false positive management.

v2.0.1-beta

v2.0.1-beta: 初始公开测试版

元数据

Slug agent-security-skill-scanner

版本 6.2.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 16

常见问题

Clawhub Publish V621 是什么？

Enterprise AI Agent Security Scanner - 846 rules, three-layer detection architecture, risk tier classification. Detects prompt injection, credential theft, d... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 410 次。

如何安装 Clawhub Publish V621？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agent-security-skill-scanner」即可一键安装，无需额外配置。

Clawhub Publish V621 是免费的吗？

是的，Clawhub Publish V621 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Clawhub Publish V621 支持哪些平台？

Clawhub Publish V621 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Clawhub Publish V621？

由 caidongyun（@caidongyun）开发并维护，当前版本 v6.2.0。

Clawhub Publish V621