← 返回 Skills 市场
340
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install codeql-skill
功能描述
CodeQL security audit pipeline: static scanning, SARIF triage, and QL query optimization. Trigger on: CodeQL, .ql, .sarif, taint tracking, source→sink, LGTM,...
使用说明 (SKILL.md)
CodeQL Security Audit Skill
Three independent modes — identify which one the user needs and run the corresponding script.
| User Intent | Mode | Script |
|---|---|---|
| Scan a repo / create a DB / generate SARIF | [SCAN] | scripts/scan.sh |
| Read SARIF / triage vulns / generate report | [AUDIT] | scripts/audit.py |
| Optimize or debug a .ql query file | [TUNE] | scripts/tune.py |
[SCAN]
bash scripts/scan.sh \x3Crepo_path> [language] [output.sarif]
# language: java | javascript | python | cpp | auto (default)
The script handles: language detection → build command selection → CodeQL DB creation → security suite scan → SARIF output.
For writing custom queries, refer to the relevant language reference:
references/lang-java.md / lang-javascript.md / lang-python.md / lang-cpp.md
[AUDIT]
python3 scripts/audit.py \x3Cresults.sarif> --output exp.md
The script handles: SARIF parsing → attack surface inventory → vuln family grouping → source→sink evidence chain extraction → exp.md output.
Claude's responsibility (what the script cannot do):
- Manually assess
[SUSPICIOUS]entries with no data flow — determine if they are real vulnerabilities - Write POC requests based on business context
- Provide concrete remediation code
[TUNE]
python3 scripts/tune.py \x3Cquery.ql>
The script outputs a tuning checklist covering seven checks: coverage, false positives, performance, and metadata completeness.
Claude's responsibility (what the script cannot do):
- Rewrite source / sink / sanitizer logic based on checklist findings
- Debug queries with no results or unexpected output — refer to
references/debugging.md
安全使用建议
This skill appears to implement what it says, but there are important mismatches and runtime risks to consider before installing or running it:
- Missing prerequisite declaration: the metadata claims no required binaries, yet scripts call 'codeql', 'python3', and potentially 'mvn', 'gradle', or 'make'. Verify you have these tools and ask the publisher to update the metadata to list them.
- Dangerous default behavior when scanning repos: scan.sh may execute repository build commands (via mvn/gradle/make and passing --command to codeql). Building an untrusted repository can execute arbitrary code (malicious build plugins, scripts). Do NOT run scans on untrusted code on your host. Run scans in an isolated environment (ephemeral VM, container, or sandbox) with limited network and no secret mounts.
- Network and pack downloads: running 'codeql database analyze' or using codeql packs can fetch query suites/packs from registries. If you require air-gapped operation, confirm codeql behavior or prefetch packs from trusted sources.
- Secrets exposure via build tooling: project builds may read local config (e.g., ~/.m2/settings.xml, environment variables) and could leak secrets to build steps. Avoid mounting sensitive files when scanning third-party code.
- Audit the scripts yourself: the included scripts are short and readable; review them (scan.sh, audit.py, tune.py) before running. If you want safer operation: create the CodeQL database yourself (without --command), or run codeql with builds performed in a controlled way; run codeql and script invocations as a non-privileged user.
If you plan to use this skill, request that the publisher: (1) declare required binaries and optional build tools in metadata, (2) add explicit warnings about building repositories and best practices for sandboxing, and (3) provide an option to skip automatic build/--command to avoid executing repo code.
功能分析
Type: OpenClaw Skill
Name: codeql-skill
Version: 1.0.0
The CodeQL Security Audit Skill is a legitimate toolset for automating static analysis pipelines. The bundle includes scripts for repository scanning (scan.sh), SARIF result parsing and triage (audit.py), and query optimization (tune.py), all of which function as described without hidden malicious logic. While scan.sh executes build commands like 'mvn' or 'make', this is a standard requirement for CodeQL database creation and does not constitute intentional malice within the context of the tool's purpose.
能力评估
Purpose & Capability
The skill claims CodeQL scanning, SARIF triage, and QL tuning — that matches the included scripts. However the registry metadata lists no required binaries or credentials, while scripts clearly invoke external tools: 'codeql' (scan.sh), 'python3' (audit.py, tune.py) and standard build tools if present (mvn, gradle, make). The missing declaration of required binaries is an incoherence and should be fixed.
Instruction Scope
SKILL.md directs the agent to run the provided scripts. scan.sh will auto-detect language and may run project build commands (mvn/gradle/make) and passes them to 'codeql database create' via --command. Executing a repo's build can run arbitrary code from that repository (e.g., malicious build scripts or plugins). SKILL.md does not warn about this sandboxing risk or recommend isolating execution. audit.py and tune.py operate on local files and do not exfiltrate data, but the scan flow has significant scope creep (running builds, network fetching of CodeQL packs via 'codeql' CLI).
Install Mechanism
There is no install spec (instruction-only style) and the skill ships code files. That keeps platform-level install risk low, but runtime risk depends on external binaries being present. The absence of a declared install step is reasonable, but the skill should declare prerequisites (codeql CLI, python3, bash, optional build tools).
Credentials
The skill does not request environment variables or credentials in metadata and the scripts do not explicitly read secrets. However, running codeql and project builds may implicitly read local configuration (e.g., Maven/Gradle settings, ~/.m2/settings.xml, environment vars used by builds), which could expose secrets if the repo build process references them. This implicit access is not documented and is worth flagging.
Persistence & Privilege
The skill is not always-enabled and does not request permanent presence or modify other skills. It does write output files (SARIF/exp.md/optimized reports) under working directory when invoked, which is expected behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install codeql-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/codeql-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of codeql-skill.
- Introduces three independent modes: SCAN (static scanning & SARIF generation), AUDIT (SARIF triage & reporting), and TUNE (QL query optimization).
- Scripts provided for each mode: `scan.sh` (repo scanning), `audit.py` (SARIF auditing), and `tune.py` (query tuning).
- Supports multiple languages: Java, JavaScript, Python, and C++.
- Includes user guidance for custom queries, audit limitations, and query tuning steps.
元数据
常见问题
codeql-skill 是什么?
CodeQL security audit pipeline: static scanning, SARIF triage, and QL query optimization. Trigger on: CodeQL, .ql, .sarif, taint tracking, source→sink, LGTM,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 340 次。
如何安装 codeql-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install codeql-skill」即可一键安装,无需额外配置。
codeql-skill 是免费的吗?
是的,codeql-skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
codeql-skill 支持哪些平台?
codeql-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 codeql-skill?
由 k2-l(@k2-l)开发并维护,当前版本 v1.0.0。
推荐 Skills