← 返回 Skills 市场
141
总下载
0
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install cmic-skill-scanner-darwin-arm64
功能描述
使用内置 Rust 引擎审计待安装的 skill 包或归档,并可选桥接外部 scanner。
使用说明 (SKILL.md)
Skill Scan Wrapper
当你要在安装一个本地 skill、归档或 release bundle 前做一次快速安全检查时,使用这个 skill。
⚠️ Security Notice
This tool operates locally and requires user trust in the binary you run. Always verify the checksum after downloading. For maximum security, build from source (recommended).
Binary Included
| Property | Value |
|---|---|
| Location | assets/bin/skillscan |
| Version | v0.8.0 |
| Platform | macOS ARM64 |
| SHA-256 | 3d0e50040dbcb8e9ffa24433587796f61f3c94926ee7e8a87b3359b9e2ae1130 |
Verify locally before running:
sha256sum assets/bin/skillscan
# Compare output with the SHA-256 value above
This bundled package includes a pre-compiled binary. You can still build from source if you prefer:
git clone https://gitee.com/random_player/cmic-skill-scanner.git
cd cmic-skill-scanner && cargo build --release
前置条件
- 默认不需要任何外部依赖
--upload-url和--engine external功能默认禁用,仅在用户显式配置时启用
信任模型
This is an open-source (MIT-0) package. The binary (bundled or downloaded) is a convenience only — it does not grant any additional trust.
Your options:
| Approach | Trust Requirement | Verification |
|---|---|---|
| Build from source | None (you control everything) | Manual code review |
| Bundled/downloaded binary | You trust the release host | SHA-256 checksum |
What the tool does NOT do by default:
- Does NOT upload data anywhere
- Does NOT connect to the network
- Does NOT access credentials, SSH configs, or environment variables
- Does NOT execute external tools unless you explicitly configure
--engine external
工作流程
- 调用 skillscan:
skillscan review /path/to/target --format markdown
skillscan review /path/to/skills --output-dir /tmp/skillscan-out
- 阅读输出中的:输入类型、完整度、engine 执行状态、findings
网络上传功能 (默认禁用)
⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --upload-url.
What gets sent (only when you configure --upload-url):
- A structured JSON report containing detection findings
- An instance identifier you supply via
--instance-id - No skill source code, credentials, or system configuration is ever transmitted
外部引擎集成 (默认禁用)
⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --engine external.
Delegates pattern-matching to a user-configured local tool. This runs locally — no remote calls are made.
Permissions Required
| Scope | Reason |
|---|---|
| Read files in target path | To analyze skill source code for patterns |
Write to --output-dir |
To save scan reports locally |
| Execute binary | To run the scanner engine |
| Network (optional) | Only if --upload-url is explicitly configured |
安全使用建议
Do not run or download any binary referenced by this SKILL.md until you resolve the packaging contradictions. The SKILL.md claims a bundled binary at assets/bin/skillscan and a checksum file, but the package manifest does not include them. Actions to take before trusting this skill:
- Ask the publisher to provide the missing assets (binary and checksum) or a reproducible build artifact. Do not rely on an undocumented remote download.
- If you need to use it, build from source yourself and verify the repository and commit SHA; prefer locally-built artifacts.
- If you must run a prebuilt binary, verify its SHA-256 exactly matches the reported checksum and confirm the checksum file is present in the package.
- Keep --upload-url and --engine external disabled. Do not provide an instance-id, credentials, or allow network uploads until you confirm what data the binary actually sends.
- If the publisher cannot explain why the binary is omitted, treat the package as untrusted and avoid execution.
These inconsistencies could be an innocent packaging mistake, but they materially increase risk — treat this as suspicious until clarified.
功能分析
Type: OpenClaw Skill
Name: cmic-skill-scanner-darwin-arm64
Version: 0.8.0
The skill bundle includes a pre-compiled binary (assets/bin/skillscan) and features for uploading data to remote endpoints (--upload-url). While the documentation in SKILL.md and INSTALL.md frames these as security auditing tools with optional reporting, the inclusion of opaque binaries and network-capable code within a skill bundle poses a significant supply-chain risk. The reliance on a binary for macOS ARM64 and the request for execution permissions are high-risk behaviors, even though the author provides checksums and a source link (gitee.com/random_player/cmic-skill-scanner.git).
能力标签
能力评估
Purpose & Capability
The stated purpose (local Rust-based skill scanner for macOS ARM64) is coherent with the instructions to run a local binary or build from source. However the SKILL.md repeatedly references a bundled binary at assets/bin/skillscan and checksum files, while the provided file manifest lists only INSTALL.md, SKILL.md, agents/openai.yaml, and assets/build/build-info.json — the actual binary and checksum file referenced in the docs are missing. Additionally the registry metadata earlier said 'No code files present' despite the presence of build-info and installation docs; these contradictions are unexplained and could indicate packaging errors or a deliberate omission.
Instruction Scope
Runtime instructions tell the agent/user to execute a local binary (./assets/bin/skillscan) or to clone a remote repo (gitee) and build. Running a binary not included in the package would require fetching remote artifacts — the SKILL.md does not supply a vetted release URL (it points to a repo) and the package lacks an installation spec. The doc claims uploads and external engines are disabled by default, which is good, but the presence of optional --upload-url and --engine external means a user or agent could enable network behavior; instructions do not require or declare any environment variables or credentials.
Install Mechanism
The skill has no formal install spec in the registry, yet INSTALL.md and SKILL.md describe a precompiled binary bundled at assets/bin/skillscan and a packaged sha256 file. The manifest does not include that binary or the sha256 file. This mismatch (claims of a bundled executable without it being present) is the primary install-related risk: to follow the docs a user/agent would need to download or fetch the binary from external sources, which increases risk unless the source is verified. The suggested build-from-source path points at a gitee repo rather than an official release host (GitHub/GitLab/GitHub releases), which is less standard but not inherently malicious.
Credentials
The skill declares no required environment variables, credentials, or privileged config paths. The permissions described (read target path, write output-dir, execute the binary, optional network only when --upload-url is configured) are proportionate to a local scanner. There is no request for unrelated cloud credentials or secrets. That said, the optional upload feature would transmit structured findings and an instance-id if enabled — avoid configuring upload-url or supplying instance identifiers until you validate the binary/source.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request persistent privileges or modifications to other skills' configs. Autonomous invocation is allowed (default), which is normal for skills; this is not in itself a distinguishing risk here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cmic-skill-scanner-darwin-arm64 - 安装完成后,直接呼叫该 Skill 的名称或使用
/cmic-skill-scanner-darwin-arm64触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.8.0
Major update and rebranding with enhanced trust and configurability.
- Renamed from "cmic-skill-scanner" to "skillscan-wrapper"
- Updated description and documentation for clarity and bilingual usage (English/Chinese)
- Emphasized local operation, checksum verification, and open-source trust model
- Optional features (`--upload-url`, `--engine external`) are disabled by default and require explicit user configuration
- Enhanced documentation for permissions, usage workflow, and binary/source integrity
- Binary version bumped to 0.8.0; old version info and tags removed
v0.6.4
- Updated version to 0.6.4.
- Clarified scanner function: analyzes skill source code only, not the system.
- Updated binary, release links, and SHA-256 references to v0.6.4.
- Streamlined and clarified detection categories and descriptions.
- Removed local-file-read permission from the manifest.
v0.6.3
- Updated to version 0.6.3 with clarified documentation, including a new repository URL.
- SKILL.md improved: clearer binary properties in a table, explicit version/platform details, and step-by-step checksum verification instructions.
- Added explicit permissions explanation and new "permissions" metadata.
- Enhanced documentation of what the scanner detects and clearer usage examples.
v0.6.2
- Updated SKILL.md with improved usage instructions and clearer feature descriptions.
- Version bump to 0.6.2; binary version and metadata updated accordingly.
- Added repository URL and direct links to source code and releases.
- Enhanced "What It Checks" section for better visibility of security features.
- Minor clarifications and formatting improvements in documentation.
v0.6.1
- Updated built-in binary to version 0.6.1 for darwin-arm64 platform.
- Improved and simplified documentation in SKILL.md with clearer usage, outputs, and integration examples.
- Updated license to MIT-0 and added metadata including author, tags, and triggers.
- Documentation now includes a link for pure/external downloads and adjusts formatting for clarity.
v0.6.0
Version 0.6.0 of cmic-skill-scanner-darwin-arm64
- Updated internal scanner binary to version v0.6.0 with new SHA-256 checksum.
- Improved SKILL.md for clarity; now includes Chinese usage docs, streamlined description, and explicit binary/platform info.
- Updated usage instructions for scanning, external engine bridging, enterprise output, and upload workflow.
- License specified as MIT; author and metadata updated.
- Updated INSTALL.md, OpenAI agent config, and build info for new version and binary.
v0.2.0
- Added detailed SKILL.md documentation including usage instructions, security guarantees, and verification steps.
- Clarified platform targeting: package includes a macOS ARM64 (darwin-arm64) native binary.
- Explained optional enterprise reporting and strict user-controlled permissions for network and file operations.
- Listed common commands and expanded on detection rules for improved transparency.
- Provided source code location and reproducible build verification guidance.
元数据
常见问题
CMIC Skill Scanner (macOS ARM64) 是什么?
使用内置 Rust 引擎审计待安装的 skill 包或归档,并可选桥接外部 scanner。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 141 次。
如何安装 CMIC Skill Scanner (macOS ARM64)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cmic-skill-scanner-darwin-arm64」即可一键安装,无需额外配置。
CMIC Skill Scanner (macOS ARM64) 是免费的吗?
是的,CMIC Skill Scanner (macOS ARM64) 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
CMIC Skill Scanner (macOS ARM64) 支持哪些平台?
CMIC Skill Scanner (macOS ARM64) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 CMIC Skill Scanner (macOS ARM64)?
由 cyzlmh(@cyzlmh)开发并维护,当前版本 v0.8.0。
推荐 Skills