← 返回 Skills 市场
Code Audit
作者
hanwenyolo-dot
· GitHub ↗
· v1.2.0
· MIT-0
438
总下载
1
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install code-audit-claw
功能描述
Three-mode code auditor for OpenClaw workspaces. (1) Security audit — finds hardcoded secrets, dangerous shell commands, SQL injection, unsafe deserializatio...
使用说明 (SKILL.md)
Code Audit Skill
🚨 铁律(ABSOLUTE RULES)
- 本 Skill 文件(SKILL.md、references/.md、scripts/.py)严禁自行修改 — 发现问题或改进建议,必须先向用户汇报,等待明确确认后才能执行修改
- 审计报告只读:输出报告,不自动修复任何被审计的文件
- 修复建议 ≠ 执行:给出修复方案后,等用户确认再动手
扫描脚本
scripts/audit_scanner.py — 核心扫描工具,支持三种模式。
# 全量审计(默认)
python3 scripts/audit_scanner.py \x3C目标路径> --mode all
# 仅安全审计
python3 scripts/audit_scanner.py \x3C目标路径> --mode security
# 仅质量审计
python3 scripts/audit_scanner.py \x3C目标路径> --mode quality
# 仅灵魂文件审计
python3 scripts/audit_scanner.py \x3C目标路径> --mode soul
脚本自动区分"灵魂文件"(SOUL.MD / MEMORY.MD / AGENTS.MD / HEARTBEAT.MD / USER.MD / SKILL.MD)和普通代码文件,分别应用不同规则集。
SOP
- 确认目标:让用户指定要审计的文件路径或目录
- 推断模式:
- 目标含 SOUL/MEMORY/AGENTS →
soul模式 - 目标是代码文件 →
security或quality - 未指定 →
all
- 目标含 SOUL/MEMORY/AGENTS →
- 运行扫描:执行
audit_scanner.py - 输出报告:分 🔴 Critical / 🟡 Warning / 🟢 Info 三级
- 给出建议:针对每个 Critical/Warning 问题,提供修复建议
审计规则参考
- 安全规则:
references/security-rules.md - 质量规则:
references/quality-rules.md - 灵魂文件规则:
references/soul-rules.md(含 SOUL.md 铁律完整性检查清单)
常用审计场景
| 场景 | 命令 |
|---|---|
| 审计整个 workspace | --mode all ~/.openclaw/workspace |
| 只看灵魂文件 | --mode soul ~/.openclaw/workspace |
| 审计某个脚本 | --mode security scripts/analyzer.py |
| 审计所有 Skills | --mode soul ~/.openclaw/workspace/skills |
| 系统安全检查 | --mode system ~/.openclaw/workspace |
安全使用建议
This skill appears coherent and implements a local audit tool. Before running it: (1) review scripts/audit_scanner.py yourself to confirm you’re comfortable with the checks it performs (it will read any files/directories you point it at, so don’t scan data you don’t want inspected); (2) if you run the 'system' mode, understand it inspects system startup items and runs utilities like codesign/crontab checks (macOS-focused); (3) the skill claims it will not modify files — still exercise caution if you later grant it permission to apply fixes; (4) if you enable automated cron runs, schedule them deliberately and ensure reports are stored where you expect. No credentials or external network actions are required by the manifest.
功能分析
Type: OpenClaw Skill
Name: code-audit-claw
Version: 1.2.0
The bundle is a comprehensive security and quality auditing tool designed for the OpenClaw environment. The core script, scripts/audit_scanner.py, implements extensive diagnostic checks for hardcoded secrets, dangerous shell commands, and system-level anomalies such as unsigned binaries (via codesign), unauthorized network listeners (via lsof), and suspicious SUID files. The SKILL.md file includes robust safety instructions that explicitly prohibit the AI agent from making unauthorized file modifications or auto-fixing issues. No evidence of data exfiltration, malicious persistence, or harmful prompt injection was found; the tool's behavior is entirely consistent with its stated purpose.
能力评估
Purpose & Capability
Name/description match the provided files: SKILL.md, README, rules references and a scanner script that implements security/quality/soul/system checks. The skill does not ask for unrelated credentials or external access.
Instruction Scope
Runtime instructions tell the agent to run the bundled scanner against a user-supplied path and produce read-only HTML reports. The scanner inspects workspace files and (optionally) system items when run in 'system' mode; this behavior is consistent with the documented purpose. The SKILL.md explicitly forbids automatic modification of skill files and states reports are read-only.
Install Mechanism
No install spec or remote downloads are present; the skill is instruction + a local Python script. Nothing in the manifest requires pulling code from external URLs.
Credentials
The skill requests no environment variables, credentials, or config paths. The scanner may read arbitrary files you point it at (including secrets if present), which is expected for a code-auditor.
Persistence & Privilege
always is false and the skill does not request forced inclusion or system-level configuration changes. The SKILL.md mentions that weekly cron-based audits are supported, but no automatic scheduling code is included in the manifest — scheduling would be a user action and is documented as optional.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install code-audit-claw - 安装完成后,直接呼叫该 Skill 的名称或使用
/code-audit-claw触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Initial release of code-audit-claw.
- Added LICENSE and README.md files.
- Introduced base documentation and usage examples for the code auditing skill.
- Defined three scanning modes: security audit, quality audit, and soul audit.
- Outlined command-line interface and typical usage scenarios.
- Documented audit rules, operating procedures, and strict modification policies.
v1.0.0
Initial release: security audit, quality audit, and OpenClaw-exclusive soul audit for SOUL.md/MEMORY.md/AGENTS.md. HTML report output + AI analysis mode + weekly cron support.
元数据
常见问题
Code Audit 是什么?
Three-mode code auditor for OpenClaw workspaces. (1) Security audit — finds hardcoded secrets, dangerous shell commands, SQL injection, unsafe deserializatio... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 438 次。
如何安装 Code Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install code-audit-claw」即可一键安装,无需额外配置。
Code Audit 是免费的吗?
是的,Code Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Code Audit 支持哪些平台?
Code Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Code Audit?
由 hanwenyolo-dot(@hanwenyolo-dot)开发并维护,当前版本 v1.2.0。
推荐 Skills