功能描述

Trust-then-verify integrity scanner for local repos and OpenClaw skills. Use when you want to scan before trust, save a trusted baseline, compare after updat...

使用说明 (SKILL.md)

Skill Drift Guard

Name: Driftguard
Author: david90232

Trust what you review. Compare what changed later.

Use this skill for local integrity checks and post-update drift detection on repos or installed skills.

This skill is intentionally narrower than a generic security scanner. Its best use is:

scan a local skill folder or repo before trust
save a trusted baseline after review
compare later to answer what changed since trust
highlight risky new capabilities like shell, network, sensitive file access, symlinks, dependencies, or install hooks

Quick start

Run the scanner directly from the installed skill folder:

node {baseDir}/scripts/cli.js scan \x3Cpath>

Save a trusted baseline after review:

node {baseDir}/scripts/cli.js trust \x3Cpath>

Save a trusted baseline to a custom location:

node {baseDir}/scripts/cli.js trust \x3Cpath> --baseline ./reports/skill-baseline.json

Compare a skill or repo against a saved baseline:

node {baseDir}/scripts/cli.js compare \x3Cpath> --baseline ./reports/skill-baseline.json

Recommended workflow

1. Scan before trust

Review the candidate repo or skill first.

node {baseDir}/scripts/cli.js scan /path/to/skill

Treat high or critical output as a stop sign until manually reviewed.

2. Trust after review

If the findings are acceptable, save a trusted baseline.

node {baseDir}/scripts/cli.js trust /path/to/skill

3. Compare after updates

After the skill changes or updates, compare it to the saved baseline.

node {baseDir}/scripts/cli.js compare /path/to/skill --baseline ./reports/baseline.json

Look especially for:

newly added or changed files
new shell or network findings
dependency or install-hook drift
new symlinks or sensitive file references

What it checks

risky shell execution patterns like curl | bash, eval, exec, subprocess, os.system
outbound network patterns like fetch, axios, requests, curl, webhook usage
references to sensitive files like .env, SSH keys, SOUL.md, MEMORY.md, OpenClaw config
prompt injection style content in SKILL.md, SOUL.md, MEMORY.md
obfuscation hints like base64 helpers and long encoded blobs
symlink drift without following symlinks
dependency drift in package.json, requirements.txt, and pyproject.toml
install-hook changes in package.json
combo risks like:
- shell + network
- network + sensitive files
- shell + prompt-injection signals
- obfuscation + active capabilities

Config suppressions

Use a .driftguard.json file in the scan root, or pass --config \x3Cfile>.

Example:

{
  "ignorePaths": ["dist/", "fixtures/"],
  "ignoreRules": ["net.fetch", "shell.exec_generic", "shell.*"]
}

Use suppressions sparingly. If a rule is noisy, prefer narrowing it later instead of muting the whole category.

Exit codes

0 for low risk and no drift
1 for medium risk or drift detected
2 for high or critical risk

Use this for CI or install gating.

Positioning

Use this skill when you want a transparent, local, deterministic trust workflow. Do not use it as the sole authority for safety. It is a heuristic scanner plus drift guard, not a guarantee.

安全使用建议

This package appears to be a legitimate local 'trust-then-verify' scanner, but check a few things before using it: - Node requirement: The README/commands run the bundled CLI via `node ...`. Ensure you have a trusted Node runtime and that the metadata (if shown to users) correctly documents this dependency. - Inspect code first: The skill runs locally and will read and hash files under any target path you provide. Open and review scripts/cli.js and scripts/scanner.js to confirm you are comfortable with what will be read (avoid scanning folders with secrets unless intended). - Prompt-injection text: SKILL.md contains phrases that match prompt-injection patterns. That is likely intentional (the scanner detects those phrases), but avoid passing the SKILL.md content verbatim into other agents or granting the skill autonomous rights without review. - Autonomous invocation: If you allow the agent to invoke skills autonomously, consider whether you want it to be able to run arbitrary local scans. Autonomous use increases the potential for unintended access to local files. - Trust workflow: Use the scanner as a heuristic and follow the recommended trust-then-verify workflow — do not treat the tool as an absolute guarantee. If you want this skill to be less risky in automated contexts, ask the author to: (1) declare Node as a required binary in the metadata, (2) remove or clearly mark prompt-injection example lines to reduce accidental interpretation, and (3) add guidance about scanning directories containing secrets.

功能分析

Type: OpenClaw Skill Name: driftguard Version: 0.2.4 The DriftGuard skill is a security-focused integrity scanner designed to establish a trusted baseline for local repositories and detect 'drift' (changes) over time. It uses heuristic regex patterns (defined in scripts/rules.js) to identify risky capabilities such as shell execution, network access, and sensitive file references, and it computes SHA-256 hashes (in scripts/scanner.js) to track file modifications. The tool operates entirely locally using standard Node.js modules, lacks any network exfiltration logic, and its instructions in SKILL.md are consistent with its stated purpose of providing a transparent, deterministic trust workflow.

能力标签

crypto

能力评估

ℹ Purpose & Capability

The name, description, SKILL.md, and included code implement a local integrity/drift scanner — this matches the stated purpose. However the package/registry metadata claims no required binaries while the instructions explicitly tell users to run the scanner with `node {baseDir}/scripts/cli.js` (i.e., Node is required). That mismatch is a proportionate but notable omission; a legitimate skill of this form would normally declare a Node/runtime requirement.

⚠ Instruction Scope

SKILL.md instructs the agent/user to run the supplied Node CLI against arbitrary local paths (scan/trust/compare). That's expected for a local scanner, but the SKILL.md also contains text that matches prompt-injection patterns (pre-scan flagged 'ignore-previous-instructions'). In context this appears to be example/detection text (the scanner is built to detect prompt-injection phrases), but any SKILL.md that includes phrases like 'ignore previous instructions' can accidentally be interpreted by some agent tooling. Review the SKILL.md and included files before running them with elevated or autonomous privileges.

✓ Install Mechanism

There is no external install spec and no network downloads — all sources are present in the skill bundle (scripts/*.js). This avoids the highest-risk patterns (remote downloads/exec). The code will run locally under Node and reads local files, so risk is confined to the privileges granted when you execute it.

ℹ Credentials

The skill declares no required environment variables or credentials, which is consistent with a local scanner. The scanner will read any files under the target path (including .env, keys, OpenClaw configs) to identify references; that behavior is appropriate for its purpose but means you should avoid scanning directories that contain secrets unless you intend to. No secret exfiltration endpoints are present in the code.

ℹ Persistence & Privilege

The skill is not always-included (always:false) and is user-invocable by default. Model invocation is allowed (disable-model-invocation:false) — this is normal platform behavior but do note that an autonomously-invoking agent could run this scanner against local paths if given the permission. Given the scanner's ability to read arbitrary files, enabling autonomous invocation increases the blast radius and should be considered before granting that capability.

版本历史

v0.2.4

Reduce ClawHub static-scan false positive, update OpenClaw {baseDir} usage examples, and fix command-level help handling.

v0.2.3

Clean up ClawHub package contents: remove generated report artifacts and keep only the intentional skill files, while preserving the v0.2 trust workflow and updated commands.

v0.2.2

Align ClawHub package with v0.2 trust workflow: add trust command, clarify compare/trust baseline usage, improve positioning/copy, and sync packaged scripts with reviewed repo changes.

v0.2.1

Fix packaged CLI help/examples to use scripts/cli.js consistently.

v0.2.0

v0.2: stronger trust summaries, better manifest drift detection, and template-literal scan fix.

v0.1.2

Fix skill runtime packaging, unify script paths, and sharpen artifact usability.

v0.1.1

Sharpened positioning: scan before trust, compare after updates.

v0.1.0

Initial release: local-first integrity and drift scanner for skills and repos.

元数据

Slug driftguard

版本 0.2.4

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 8

常见问题

Driftguard 是什么？

Trust-then-verify integrity scanner for local repos and OpenClaw skills. Use when you want to scan before trust, save a trusted baseline, compare after updat... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 327 次。

如何安装 Driftguard？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install driftguard」即可一键安装，无需额外配置。

Driftguard 是免费的吗？

是的，Driftguard 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Driftguard 支持哪些平台？

Driftguard 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Driftguard？

由 david90232（@david90232）开发并维护，当前版本 v0.2.4。

Driftguard