← 返回 Skills 市场

CMIC Skill Scanner

Name: CMIC Skill Scanner
Author: cyzlmh

作者 cyzlmh · GitHub ↗ · v0.8.0 · MIT-0

cross-platform ⚠ suspicious

153

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cmic-skill-scanner

功能描述

使用内置 Rust 引擎审计待安装的 skill 包或归档，并可选桥接外部 scanner。

使用说明 (SKILL.md)

Skill Scan Wrapper

当你要在安装一个本地 skill、归档或 release bundle 前做一次快速安全检查时，使用这个 skill。

⚠️ Security Notice

This tool operates locally and requires user trust in the binary you run. Always verify the checksum after downloading. For maximum security, build from source (recommended).

Reference Package (No Binary)

This package contains only documentation. Pre-built binaries are hosted on Gitee Releases (open source, verifiable).

Download from Gitee Releases: https://gitee.com/random_player/cmic-skill-scanner/releases

Verify checksums before running: See https://gitee.com/random_player/cmic-skill-scanner/raw/main/releases/v0.8.0/SHA256SUMS

Build from source (recommended for maximum security):

git clone https://gitee.com/random_player/cmic-skill-scanner.git
cd cmic-skill-scanner && cargo build --release

前置条件

默认不需要任何外部依赖
--upload-url 和 --engine external 功能默认禁用，仅在用户显式配置时启用

信任模型

This is an open-source (MIT-0) package. The binary (bundled or downloaded) is a convenience only — it does not grant any additional trust.

Your options:

Approach	Trust Requirement	Verification
Build from source	None (you control everything)	Manual code review
Bundled/downloaded binary	You trust the release host	SHA-256 checksum

What the tool does NOT do by default:

Does NOT upload data anywhere
Does NOT connect to the network
Does NOT access credentials, SSH configs, or environment variables
Does NOT execute external tools unless you explicitly configure --engine external

工作流程

调用 skillscan：

skillscan review /path/to/target --format markdown
skillscan review /path/to/skills --output-dir /tmp/skillscan-out

阅读输出中的：输入类型、完整度、engine 执行状态、findings

网络上传功能 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --upload-url.

What gets sent (only when you configure --upload-url):

A structured JSON report containing detection findings
An instance identifier you supply via --instance-id
No skill source code, credentials, or system configuration is ever transmitted

外部引擎集成 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --engine external.

Delegates pattern-matching to a user-configured local tool. This runs locally — no remote calls are made.

Permissions Required

Scope	Reason
Read files in target path	To analyze skill source code for patterns
Write to `--output-dir`	To save scan reports locally
Execute binary	To run the scanner engine
Network (optional)	Only if `--upload-url` is explicitly configured

安全使用建议

This package is just documentation for a local scanner. If you plan to use the prebuilt binary, verify the SHA-256 checksum (and preferably build from source). Only enable --upload-url if you fully trust the destination (it will receive the structured findings and any instance identifier you provide). Note the small inconsistency: the description mentions a Rust engine but no binary is bundled here — you must obtain or build the scanner yourself. Inspect the release repo on Gitee before downloading, and prefer building from source for maximum assurance.

功能分析

Type: OpenClaw Skill Name: cmic-skill-scanner Version: 0.8.0 The skill bundle acts as a wrapper that instructs the agent to download and execute external binaries from a personal Gitee repository (gitee.com/random_player/cmic-skill-scanner), which is a high-risk delivery mechanism. While it claims to be a security tool, it contains no actual logic, only instructions to fetch and run unverified code. Additionally, it features an optional '--upload-url' flag for data exfiltration and requires execution permissions, making the 'bring-your-own-binary' pattern in SKILL.md highly suspicious.

能力评估

ℹ Purpose & Capability

The skill's name and description (an audit/scanner) align with its instructions. However, the package claims a "built-in Rust engine" but contains no binary or code—it's an instruction-only wrapper that points users to prebuilt releases on Gitee or to building from source. This is explainable but worth noting: no engine is actually bundled.

✓ Instruction Scope

SKILL.md limits actions to scanning local targets, writing local reports, and optionally uploading structured JSON only when the user explicitly configures --upload-url. It explicitly states it will not access credentials, SSH config, or environment variables by default. The instructions do require the scanner to read target files (expected for this purpose).

ℹ Install Mechanism

There is no install spec; the README instructs downloading prebuilt binaries from a Gitee Releases page or building from source. Gitee is a known host but is not as universally familiar as e.g., GitHub releases; the SKILL.md does provide a SHA256SUMS URL for verification. Because binaries would be fetched from an external host, users must verify checksums or build from source.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. The only optional data sent on upload is a structured JSON report and an instance-id supplied by the user. This scope of environment/credential access is proportionate to the declared functionality.

✓ Persistence & Privilege

The skill is not always-enabled and does not request persistent system-wide configuration. It is instruction-only and does not attempt to modify other skills or agent settings. Autonomous invocation by the agent is allowed (platform default) but not combined with other concerning privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cmic-skill-scanner
安装完成后，直接呼叫该 Skill 的名称或使用 /cmic-skill-scanner 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.8.0

- Documentation updated: SKILL.md rewritten for clarity and brevity. - Emphasizes that this package contains only documentation—no binary is included. - Instructs users to download pre-built binaries or build from source, with direct links to Gitee Releases and verification instructions. - Retains all major feature and security notices, with reorganized information for easier reading. - Removes redundant detailed usage and expands on the trust model and verification steps.

v0.7.3

- License identifier in the manifest corrected from "MIT" to "MIT-0" for accuracy. - Obsolete hardcoded SHA-256 checksum and version removed from verification instructions; users are now directed to check the Gitee Release page for current checksums. - Documentation on verification updated to reduce risk of confusion and ensure users always reference the official checksum source.

v0.7.2

- Added explicit security notices about binary trust and mandatory checksum verification. - Documented and strongly recommended building from source for maximum security. - Clarified that network and external engine features are disabled by default and require explicit user configuration. - Expanded verification instructions and warnings for precompiled binaries. - Improved documentation of trust model, feature enablement, and default behaviors for safer usage.

v0.7.1

Skillscan-wrapper 0.7.1 removes bundled binaries and updates installation instructions. - The SKILL.md now directs users to download the scanner binary from the Gitee Release page, instead of providing it in the package. - Instructions are added for manual binary verification and execution permission setup. - All references to the internal assets/bin/skillscan path have been replaced with standalone usage (skillscan) in CLI examples. - Clarified that this package is now a documentation/reference wrapper only; no binary is shipped inside.

v0.7.0

**Major update with new binary integration and enhanced security workflow** - Replaces previous documentation with new instructions for the `skillscan-wrapper` tool and updates all content. - Introduces an embedded Rust engine binary (`assets/bin/skillscan`, version 0.7.0). - Adds options for bridging to external scanners with `--engine external`. - Details a clearer security model, emphasizing that only scan results are uploaded—never skill source or credentials. - Provides comprehensive usage examples, including enterprise integration and reporting to internal endpoints. - Updates license and attribution fields.

v0.6.4

- Updated description for greater clarity and detail about what the scanner analyzes. - Expanded and clarified detection categories and examples in the documentation. - Removed the explicit permissions section and emphasized that the tool only reads specified source files. - Improved and reworded usage instructions and explanations for easier understanding.

v0.6.3

- Updated documentation in SKILL.md for clarity and scope, emphasizing open-source and release verification. - Added details about required permissions: the scanner reads only user-specified local files and does not access credentials or system files. - Updated repository and source code links to https://gitee.com/random_player/cmic-skill-scanner. - Modified download instructions: binaries now on Gitee Releases with checksum verification. - Expanded detection criteria to clarify categories of security checks performed. - Version bump to 0.6.3.

v0.6.2

- Updated description and metadata for clarity and accuracy. - Added repository link and clarified that this package does not include a binary file. - Provided updated links to platform-specific bundled binaries. - Simplified usage instructions and refocused scope on reference/package only. - Improved documentation of scanning features and security checks.

v0.6.1

Summary: Documentation update with new download links and enhanced usage instructions. - Updated download URLs and checksums for version 0.6.1. - Added detailed usage instructions and example commands. - Included a new section describing audit output and findings. - Provided guidance for enterprise integration and reporting. - No changes to core functionality; documentation improvements only.

v0.6.0

- Updated to version 0.6.0. - Download URLs now point to new v0.6.0 releases for all platforms. - Checksum verification link updated to v0.6.0 release files.

v0.5.0

- Updated to version 0.5.0 with new binary download links and checksum references. - Simplified documentation by removing installation and usage details from SKILL.md. - Reduced metadata tag list and removed some triggers. - INSTALL.md file removed.

v0.4.0

- Major update: switching to a binary-distributed model with required external download and stronger emphasis on verification. - Removed assets/build/build-info.json and references to internal binary checksums; installation now relies on official Gitee or bundled releases. - SKILL.md, INSTALL.md, and YAML updated to clarify installation steps and security practices, including clear binary download and verification instructions. - Added table of official download URLs for multiple platforms; recommends using platform-specific bundles. - Enterprise features and detection capabilities remain, but documentation is now more focused and concise. - Metadata adjusted: platform is no longer specified in SKILL.md; all platform binaries handled via external download.

v0.2.0

- Added detailed documentation describing security guarantees, usage instructions, and verification procedures. - Clarified permissions and user-controlled options for network access and file outputs. - Listed supported platforms and provided links for additional binary downloads. - Outlined detection capabilities and scan commands for various audit scenarios. - Emphasized source transparency and checksum verification for enhanced trust.

元数据

Slug cmic-skill-scanner

版本 0.8.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 13

常见问题