← 返回 Skills 市场
146
总下载
0
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install cmic-skill-scanner-linux-amd64
功能描述
使用内置 Rust 引擎审计待安装的 skill 包或归档,并可选桥接外部 scanner。
使用说明 (SKILL.md)
Skill Scan Wrapper
当你要在安装一个本地 skill、归档或 release bundle 前做一次快速安全检查时,使用这个 skill。
⚠️ Security Notice
This tool operates locally and requires user trust in the binary you run. Always verify the checksum after downloading. For maximum security, build from source (recommended).
Binary Included
| Property | Value |
|---|---|
| Location | assets/bin/skillscan |
| Version | v0.8.0 |
| Platform | Linux x64 |
| SHA-256 | 864f9a0189268139878c06bce7a127687f9e491a070d7c7345d22932c899bcd8 |
Verify locally before running:
sha256sum assets/bin/skillscan
# Compare output with the SHA-256 value above
This bundled package includes a pre-compiled binary. You can still build from source if you prefer:
git clone https://gitee.com/random_player/cmic-skill-scanner.git
cd cmic-skill-scanner && cargo build --release
前置条件
- 默认不需要任何外部依赖
--upload-url和--engine external功能默认禁用,仅在用户显式配置时启用
信任模型
This is an open-source (MIT-0) package. The binary (bundled or downloaded) is a convenience only — it does not grant any additional trust.
Your options:
| Approach | Trust Requirement | Verification |
|---|---|---|
| Build from source | None (you control everything) | Manual code review |
| Bundled/downloaded binary | You trust the release host | SHA-256 checksum |
What the tool does NOT do by default:
- Does NOT upload data anywhere
- Does NOT connect to the network
- Does NOT access credentials, SSH configs, or environment variables
- Does NOT execute external tools unless you explicitly configure
--engine external
工作流程
- 调用 skillscan:
skillscan review /path/to/target --format markdown
skillscan review /path/to/skills --output-dir /tmp/skillscan-out
- 阅读输出中的:输入类型、完整度、engine 执行状态、findings
网络上传功能 (默认禁用)
⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --upload-url.
What gets sent (only when you configure --upload-url):
- A structured JSON report containing detection findings
- An instance identifier you supply via
--instance-id - No skill source code, credentials, or system configuration is ever transmitted
外部引擎集成 (默认禁用)
⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --engine external.
Delegates pattern-matching to a user-configured local tool. This runs locally — no remote calls are made.
Permissions Required
| Scope | Reason |
|---|---|
| Read files in target path | To analyze skill source code for patterns |
Write to --output-dir |
To save scan reports locally |
| Execute binary | To run the scanner engine |
| Network (optional) | Only if --upload-url is explicitly configured |
安全使用建议
Do not run or execute any binary until you confirm where it comes from. Steps to take before installing or using this skill:
- Verify the package actually includes assets/bin/skillscan; if it does not, ask the publisher where to obtain the binary and why it was omitted.
- If you must obtain a binary from the internet, get it only from a tracked release on a trusted host and verify the provided SHA-256 matches the file you downloaded.
- Prefer building from source: clone the referenced repo, inspect the code, and build locally; confirm the built binary's checksum matches the one documented.
- Be cautious enabling --upload-url; confirm (by reading code or by testing in an isolated environment) exactly what fields are transmitted in the JSON report and that no source code or secrets are included.
- Consider running the scanner in an isolated environment (VM/container) until you confirm the origin and contents of the binary.
Because the package claims a bundled executable but does not include it, treat the discrepancy as a red flag and request clarification from the publisher before trusting or executing any binary.
功能分析
Type: OpenClaw Skill
Name: cmic-skill-scanner-linux-amd64
Version: 0.8.0
The skill bundle includes and executes a pre-compiled binary (assets/bin/skillscan) whose source code is not provided within the package, though a Gitee repository is referenced. It also contains built-in functionality for data transmission to remote endpoints via an optional '--upload-url' flag (e.g., scanner.example.com). While the documentation in SKILL.md and INSTALL.md is transparent about these features and their risks, the execution of opaque binaries with network capabilities in an agent environment warrants a suspicious classification.
能力标签
能力评估
Purpose & Capability
The SKILL.md and INSTALL.md repeatedly describe a bundled precompiled binary at assets/bin/skillscan and local auditing behavior; however the registry metadata flagged this as an instruction-only skill and the provided file manifest does not include the binary itself. Claiming a bundled executable while not shipping it is an incoherence: users would need to obtain a binary from an external source or build from the referenced repo, which is not made explicit in the package files.
Instruction Scope
Instructions are focused on scanning local skill directories and explicitly state network/upload features are disabled by default. They ask the tool to read target file paths and write output to an output-dir (expected for a scanner). Minor concern: the docs permit optional --upload-url and require an instance-id value, which would transmit structured findings (no source code per doc) — users should verify what exactly would be included before enabling uploads.
Install Mechanism
There is no install spec (lowest technical risk) but SKILL.md claims a bundled binary and provides a SHA-256; the package as presented does not contain the binary path it claims. The SKILL.md suggests cloning a Gitee repo and building from source — pulling code from an external repo is a reasonable option but differs from the 'bundled binary' claim and increases the user's burden to verify the source and checksum. This mismatch raises the chance a user will fetch an external binary from an untrusted location.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The documented runtime permissions (read target files, write output-dir, execute binary, optional network only if user supplies --upload-url) are proportional to a local scanning utility.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent presence or modification of other skills. Autonomous invocation via the model is allowed (platform default) but is not combined with broad or unexpected privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cmic-skill-scanner-linux-amd64 - 安装完成后,直接呼叫该 Skill 的名称或使用
/cmic-skill-scanner-linux-amd64触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.8.0
- Rebranded from "cmic-skill-scanner" to "skillscan-wrapper" with updated descriptions and metadata.
- Documentation overhaul: clearer instructions, detailed trust and security warnings, multilingual content.
- Emphasized that upload/reporting and external engine integrations are disabled by default and require explicit user configuration.
- Updated references to binary version (`v0.8.0`), with consistent SHA-256 and security verification steps.
- Clarified tool permissions, trust model, and provided more explicit build-from-source guidance.
v0.6.4
- Updated to version 0.6.4 with corresponding documentation changes.
- Clarified that the scanner analyzes only skill source code and does not access your system files or credentials.
- Updated binary version references and SHA-256 in documentation.
- Improved description of detected suspicious patterns within skills.
- Removed local-file-read permission requirement from metadata.
v0.6.3
- Updated version to 0.6.3 with revised documentation for improved clarity.
- Repository and author links now point to https://gitee.com/random_player/cmic-skill-scanner.
- Added a "permissions" section, listing required and non-required permissions.
- Reformatted binary information, usage instructions, and malware detection details for better readability.
- Updated links to releases, source, and checksum files.
v0.6.2
- Updated to version 0.6.2 with revised descriptions for clarity.
- Added link to public source code repository and clarified open source status.
- Improved documentation: specified included binary version, platform, and hash, and added instructions to verify the binary.
- Expanded list of security checks and streamlined usage examples.
- Updated metadata with repository URL and reduced tag list.
v0.6.1
- Updated to version 0.6.1 with revised SKILL.md content and metadata.
- Added detailed metadata including author, tags, and triggers for easier discovery and activation.
- Improved skill documentation for clarity, including new usage examples and output descriptions.
- License updated from MIT to MIT-0.
- Path and version references updated for the included binary.
v0.6.0
- Renamed skill to "cmic-skill-scanner" and updated skill description for improved clarity.
- Updated embedded binary version to v0.6.0.
- Documentation now emphasizes security scanning before skill installation and details threats (malware, credential theft, suspicious patterns).
- No external downloader required; package is fully self-contained.
- Minor language and clarity improvements throughout documentation.
v0.5.0
- Updated engine binary to version v0.5.0, with SHA-256 checksum preserved.
- SKILL.md significantly rewritten and simplified; now primarily in Chinese and focused on usage guidance and workflows.
- Clarified usage of optional external scanner (`--engine external/auto`) and details on input requirements.
- Instructions for enterprise integration improved: upload/reporting process and expected outputs are clearly described.
- Old metadata, feature lists, and detailed security guarantee sections removed for brevity.
v0.2.0
- Introduces cmic-skill-scanner version 0.2.0 for Linux (x64), a defensive security tool to scan AI agent skill packages for malware, credential theft, and suspicious patterns before installation.
- Includes a native Rust binary scanner (no external downloads required) with SHA-256 checksum for integrity verification.
- Clearly documents strict security boundaries: does not access personal credentials or send data unless explicitly commanded by the user; no elevated permissions required.
- Adds optional enterprise reporting and support for external scanner engines, both user-controlled via command-line options.
- Provides detailed usage instructions, batch and single skill scanning, report options, and a summary of 31 built-in detection rules.
- Source code and build transparency available for independent verification; alternative platforms (macOS ARM, Linux ARM) referenced.
元数据
常见问题
CMIC Skill Scanner (Linux x64) 是什么?
使用内置 Rust 引擎审计待安装的 skill 包或归档,并可选桥接外部 scanner。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 146 次。
如何安装 CMIC Skill Scanner (Linux x64)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cmic-skill-scanner-linux-amd64」即可一键安装,无需额外配置。
CMIC Skill Scanner (Linux x64) 是免费的吗?
是的,CMIC Skill Scanner (Linux x64) 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
CMIC Skill Scanner (Linux x64) 支持哪些平台?
CMIC Skill Scanner (Linux x64) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 CMIC Skill Scanner (Linux x64)?
由 cyzlmh(@cyzlmh)开发并维护,当前版本 v0.8.0。
推荐 Skills