← 返回 Skills 市场
91
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install cryptolint
功能描述
Cryptography misuse & weak algorithm detector -- detects deprecated algorithms, hardcoded keys/IVs, ECB mode, weak random number generation, timing-vulnerabl...
使用说明 (SKILL.md)
\r \r
CryptoLint -- Cryptography Misuse & Weak Algorithm Detector\r
\r CryptoLint scans codebases for cryptographic anti-patterns, deprecated algorithms (MD5, SHA-1, DES, RC4), hardcoded keys and IVs, insecure encryption modes (ECB), weak random number generation, timing-vulnerable comparisons, and insecure TLS/SSL configuration. It uses regex-based pattern matching against 90 cryptography-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.\r \r
Commands\r
\r
Free Tier (No license required)\r
\r
cryptolint scan [file|directory]\r
One-shot cryptography quality scan of files or directories.\r \r How to execute:\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)\r
3. Runs 30 cryptography patterns against each file (free tier limit)\r
4. Calculates a crypto quality score (0-100) per file and overall\r
5. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (\x3C60)\r
6. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
7. Exit code 0 if score >= 70, exit code 1 if crypto quality is poor\r
8. Free tier limited to first 30 patterns (WA + KM categories)\r
\r
**Example usage scenarios:**\r
- "Scan my code for crypto issues" -> runs `cryptolint scan .`\r
- "Check this file for weak algorithms" -> runs `cryptolint scan src/crypto.ts`\r
- "Find hardcoded encryption keys" -> runs `cryptolint scan src/`\r
- "Audit cryptography usage in my project" -> runs `cryptolint scan .`\r
- "Check for MD5 or SHA1 usage" -> runs `cryptolint scan .`\r
\r
### Pro Tier ($19/user/month -- requires CRYPTOLINT_LICENSE_KEY)\r
\r
#### `cryptolint scan --tier pro [file|directory]`\r
Extended scan with 60 patterns covering weak algorithms, key management, encryption modes, and random number generation.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs 60 cryptography patterns (WA, KM, EM, RN categories)\r
3. Detects insecure encryption modes (ECB, CBC without auth)\r
4. Identifies weak random number generation for crypto\r
5. Full category breakdown reporting\r
\r
#### `cryptolint scan --format json [directory]`\r
Generate JSON output for CI/CD integration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json\r
```\r
\r
#### `cryptolint scan --format html [directory]`\r
Generate HTML report for browser viewing.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html\r
```\r
\r
#### `cryptolint scan --category WA [directory]`\r
Filter scan to a specific check category (WA, KM, EM, RN, TC, CP).\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category WA\r
```\r
\r
### Team Tier ($39/user/month -- requires CRYPTOLINT_LICENSE_KEY with team tier)\r
\r
#### `cryptolint scan --tier team [directory]`\r
Full scan with all 90 patterns across all 6 categories including timing attacks and certificate/protocol checks.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs all 90 patterns across 6 categories\r
3. Includes timing & comparison checks (timing side-channels, non-constant-time comparison)\r
4. Includes certificate & protocol checks (TLS verification disabled, insecure protocols)\r
5. Full category breakdown with per-file results\r
\r
#### `cryptolint scan --verbose [directory]`\r
Verbose output showing every matched line and pattern details.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose\r
```\r
\r
#### `cryptolint status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" status\r
```\r
\r
## Check Categories\r
\r
CryptoLint detects 90 cryptographic anti-patterns across 6 categories:\r
\r
| Category | Code | Patterns | Description | Severity Range |\r
|----------|------|----------|-------------|----------------|\r
| **Weak Algorithms** | WA | 15 | MD5, SHA-1, DES, 3DES, RC4, Blowfish, weak PBKDF2 iterations, deprecated TLS versions | high -- critical |\r
| **Key Management** | KM | 15 | Hardcoded encryption keys, static IVs/salts, short keys, keys in source code, zero IVs | high -- critical |\r
| **Encryption Modes** | EM | 15 | ECB mode, CBC without authentication, raw RSA without padding, deprecated createCipher | medium -- critical |\r
| **Random Number Generation** | RN | 15 | Math.random() for security, java.util.Random for crypto, time-seeded RNG, predictable seeds | high -- critical |\r
| **Timing & Comparison** | TC | 15 | String equality for hashes, == for HMAC, non-constant-time comparisons, early-return timing leaks | medium -- high |\r
| **Certificate & Protocol** | CP | 15 | SSL/TLS verification disabled, hostname check bypassed, insecure protocol versions, HTTP in auth | high -- critical |\r
\r
## Tier-Based Pattern Access\r
\r
| Tier | Patterns | Categories |\r
|------|----------|------------|\r
| **Free** | 30 | WA, KM |\r
| **Pro** | 60 | WA, KM, EM, RN |\r
| **Team** | 90 | WA, KM, EM, RN, TC, CP |\r
| **Enterprise** | 90 | WA, KM, EM, RN, TC, CP + priority support |\r
\r
## Scoring\r
\r
CryptoLint uses a deductive scoring system starting at 100 (perfect):\r
\r
| Severity | Point Deduction | Description |\r
|----------|-----------------|-------------|\r
| **Critical** | -25 per finding | Broken algorithm or direct cryptographic vulnerability |\r
| **High** | -15 per finding | Significant cryptographic weakness (deprecated algo, weak key) |\r
| **Medium** | -8 per finding | Suboptimal practice (CBC without auth, weak mode choice) |\r
| **Low** | -3 per finding | Informational / best practice suggestion |\r
\r
### Grading Scale\r
\r
| Grade | Score Range | Meaning |\r
|-------|-------------|---------|\r
| **A** | 90-100 | Excellent cryptography practices |\r
| **B** | 80-89 | Good crypto with minor issues |\r
| **C** | 70-79 | Acceptable but needs improvement |\r
| **D** | 60-69 | Poor cryptography quality |\r
| **F** | Below 60 | Critical cryptography problems |\r
\r
- **Pass threshold:** 70 (Grade C or better)\r
- Exit code 0 = pass (score >= 70)\r
- Exit code 1 = fail (score \x3C 70)\r
\r
## Configuration\r
\r
Users can configure CryptoLint in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
"skills": {\r
"entries": {\r
"cryptolint": {\r
"enabled": true,\r
"apiKey": "YOUR_LICENSE_KEY_HERE",\r
"config": {\r
"severityThreshold": "medium",\r
"ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],\r
"ignoreChecks": [],\r
"reportFormat": "text"\r
}\r
}\r
}\r
}\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies beyond bash\r
- Supports scanning all file types in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)\r
- Output formats: text (default), json, html\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries hooks, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://cryptolint.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no scannable files found in target, report clean scan with info message\r
- If an invalid category is specified with --category, show available categories\r
\r
## When to Use CryptoLint\r
\r
The user might say things like:\r
- "Scan my code for crypto issues"\r
- "Check my cryptography usage"\r
- "Find weak algorithms in my code"\r
- "Detect hardcoded encryption keys"\r
- "Are there any MD5 or SHA1 uses?"\r
- "Check for insecure encryption modes"\r
- "Audit my TLS configuration"\r
- "Find ECB mode usage"\r
- "Check for timing attack vulnerabilities"\r
- "Scan for weak random number generation"\r
- "Run a cryptography audit"\r
- "Generate a crypto quality report"\r
- "Check if Math.random is used for security"\r
- "Find hardcoded IVs and salts"\r
- "Check my code for crypto anti-patterns"\r
安全使用建议
What to check before installing:
- This skill is local-only and implements a sensible cryptography linter, but it will look for a stored license in ~/.openclaw/openclaw.json and will accept CRYPTOLINT_LICENSE_KEY via env var. The registry metadata did not list that config path — confirm you are comfortable with the skill reading that file before installing.
- The license module optionally uses CLAWHUB_JWT_SECRET (not declared) to verify JWT signatures; only set that env var if you understand its purpose.
- Installing hooks will create/append a lefthook.yml in your repository and run lefthook install — test in a disposable repo first if you don’t want immediate repo changes.
- If you will provide a license key, prefer setting it per-session rather than storing it permanently, or inspect ~/.openclaw/openclaw.json to confirm where keys will be saved.
- Overall the code appears coherent with its stated purpose, but the undeclared config/env usage and repo-modifying hook install are reasons to review the files and configuration choices before use.
功能分析
Type: OpenClaw Skill
Name: cryptolint
Version: 1.0.1
The CryptoLint skill bundle implements a cryptography misuse detector using regex-based scanning. While the tool's logic aligns with its stated purpose, it contains significant security vulnerabilities (shell injection) in `license.sh` and `analyzer.sh` due to the use of `python3 -c` and `node -e` with unsanitized string interpolation of JWT payloads and file content. Furthermore, the `hooks install` command in `dispatcher.sh` modifies local git configurations to automatically execute scripts via `lefthook`, which is a high-privilege action. Although no evidence of intentional data exfiltration or malicious backdoors was found, the poor handling of external input (license keys and scanned code) poses a risk of arbitrary code execution.
能力标签
能力评估
Purpose & Capability
The code, SKILL.md, and files implement a local cryptography linter with git-hook integration (lefthook). Required binaries (git, bash, python3, jq) and the brew lefthook install are coherent with the stated purpose. However, the runtime code reads ~/.openclaw/openclaw.json for a stored license key while the registry 'Required config paths' lists none — this mismatch should be corrected or explained.
Instruction Scope
Runtime instructions and scripts operate locally: discover files, run grep-based regex patterns, compute scores, and optionally install git hooks. The dispatcher and analyzer source only local files and do not contact external endpoints. They do modify repository configuration (append or create lefthook.yml) when installing hooks — this is expected for git-hook integration but is a repository-modifying action the user should be aware of.
Install Mechanism
Install uses a Homebrew formula (lefthook) which is a standard package manager path and low risk. There are no URL-based downloads or archive extraction in the skill's install spec.
Credentials
Primary credential CRYPTOLINT_LICENSE_KEY is appropriate for a paid tier. However, license.sh looks for and reads ~/.openclaw/openclaw.json (not declared in registry metadata), and may use an undeclared env var CLAWHUB_JWT_SECRET for optional JWT signature verification. The skill will try multiple local tools (python3/node/jq/openssl) to parse that config and validate tokens. These extra reads/variables should have been declared in registry metadata.
Persistence & Privilege
The skill is not always:true and does not request system-wide persistent privileges. It can install git hooks which modify a repo's lefthook.yml (user-invoked action). It does not modify other skills or global agent settings beyond reading the OpenClaw config and optionally writing/altering repo lefthook.yml during hook installation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cryptolint - 安装完成后,直接呼叫该 Skill 的名称或使用
/cryptolint触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix: declare all deps, JWT verification, configPaths
v1.0.0
Initial release of CryptoLint: A cryptography misuse and weak algorithm detector.
- Scans codebases for deprecated cryptographic algorithms, hardcoded keys/IVs, weak modes, timing attacks, and insecure TLS configuration.
- Free tier: 30 patterns (weak algorithms & key management), no license required.
- Pro/Team tiers: up to 90 patterns covering 6 categories (WA, KM, EM, RN, TC, CP).
- Integrates with git hooks (requires lefthook); supports local scans and zero telemetry.
- Outputs markdown, JSON, and HTML reports with remediation guidance.
- Grading and scoring system with detailed severity-based deductions and exit codes.
元数据
常见问题
cryptolint 是什么?
Cryptography misuse & weak algorithm detector -- detects deprecated algorithms, hardcoded keys/IVs, ECB mode, weak random number generation, timing-vulnerabl... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 91 次。
如何安装 cryptolint?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cryptolint」即可一键安装,无需额外配置。
cryptolint 是免费的吗?
是的,cryptolint 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
cryptolint 支持哪些平台?
cryptolint 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。
谁开发了 cryptolint?
由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.1。
推荐 Skills