← 返回 Skills 市场
cerbug45

Security Audit

作者 cerbug45 · GitHub ↗ · v0.1.0
cross-platform ✓ 安全检测通过
1245
总下载
0
收藏
9
当前安装
1
版本数
在 OpenClaw 中安装
/install agents-skill-security-audit
功能描述
Minimal helper to audit skill.md-style instructions for supply-chain risks.
使用说明 (SKILL.md)

security-audit

Minimal helper to audit skill.md-style instructions for supply-chain risks.

Features

  • Heuristic scan for exfiltration patterns (HTTP POST, curl to unknown domains, reading ~/.env, credential keywords).
  • Permission manifest reminder: lists filesystem/network touches it sees.
  • Safe report: markdown summary + risk level.

Usage

python audit.py path/to/skill.md > report.md
安全使用建议
This skill appears coherent and low-risk: it's a local Python script that heuristically scans a single skill.md for suspicious patterns. Before using it, quickly eyeball audit.py yourself (it's short and included), and be aware it only searches text with simple regexes (it can miss obfuscated strings, multi-file issues, or nested downloads). Don't rely solely on its output — treat it as a first-pass aid and perform manual review for anything flagged. If you plan to scan skill files containing secrets, run the tool on a sanitized copy or in a sandboxed environment.
功能分析
Type: OpenClaw Skill Name: agents-skill-security-audit Version: 0.1.0 This skill bundle is designed to audit other OpenClaw skill bundles for supply-chain risks. The `audit.py` script scans input files for patterns indicative of data exfiltration (e.g., `http://`, `webhook`, `ngrok`), sensitive file access (e.g., `.env`, `.ssh`, `credentials`), and dangerous shell commands (e.g., `curl | bash`, `sudo`, `rm -rf`). The script itself only reads files and performs regex matching; it does not execute any external commands, make network calls, or modify files. The `SKILL.md` and `README.md` files provide clear, benign instructions for using the auditing tool. There is no evidence of malicious intent, prompt injection, or high-risk behaviors within this skill bundle itself.
能力评估
Purpose & Capability
The name/description (security-audit) aligns with the included audit.py and README/SKILL.md. The only required binary is python3, which is appropriate for a Python script; there are no unrelated env vars, credentials, or surprising dependencies.
Instruction Scope
SKILL.md tells the agent/user to run `python audit.py path/to/skill.md`. audit.py reads only the supplied file and performs regex-based heuristics for exfiltration, file-access, and shell patterns, then prints a risk summary. It does not perform network calls or read other system files itself. Note: it flags mentions of sensitive paths/keywords but does not automatically inspect those other paths.
Install Mechanism
There is no install spec; the skill is instruction-only with a bundled audit.py. That is low-risk — nothing is downloaded or extracted from external URLs and the code is present in the bundle for review.
Credentials
No environment variables, credentials, or config paths are requested. The tool's scope does not require secrets or external tokens.
Persistence & Privilege
always is false, model invocation is normal, and the skill does not attempt to modify agent/system configuration or persist credentials. It runs on-demand and has no elevated privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install agents-skill-security-audit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /agents-skill-security-audit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of the security-audit skill. - Provides heuristic scanning of skill.md instructions for supply-chain risks. - Detects exfiltration patterns such as HTTP POST requests, unknown domain curl commands, ~/.env reads, and credential keywords. - Summarizes detected filesystem and network accesses as a permission manifest reminder. - Generates a safe report in markdown format with an assigned risk level. - Simple command-line usage via Python.
元数据
Slug agents-skill-security-audit
版本 0.1.0
许可证
累计安装 9
当前安装数 9
历史版本数 1
常见问题

Security Audit 是什么?

Minimal helper to audit skill.md-style instructions for supply-chain risks. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1245 次。

如何安装 Security Audit?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agents-skill-security-audit」即可一键安装,无需额外配置。

Security Audit 是免费的吗?

是的,Security Audit 完全免费(开源免费),可自由下载、安装和使用。

Security Audit 支持哪些平台?

Security Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Security Audit?

由 cerbug45(@cerbug45)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论