功能描述

Audits Claude skills from GitHub repositories for effectiveness, token usage, safety, and best-practice compliance, then automatically generates bilingual so...

使用说明 (SKILL.md)

Skill Audit Workflow

Name: full scale openclaw skill auditor
Author: yangran

Audit a Claude skill from a GitHub repository. Evaluate effectiveness, token usage, time complexity, permissions, safety, and best-practice compliance. Produce a structured audit report.

Step 1: Clone & Extract

Run the clone script with the user-provided GitHub URL:

bash scripts/clone_and_extract.sh \x3Crepo-url>

The script outputs JSON listing all SKILL.md files found. If multiple skills exist in the repo, present the list to the user and ask which one(s) to audit.

If the script exits with a non-zero code:

Exit 1: Ask the user to provide a valid GitHub URL
Exit 2: Check if the repo exists and is public
Exit 3: The repo has no SKILL.md files — inform the user

Step 2: Create Output Directory

Create the audit output directory:

audits/\x3Cskill-name>-\x3CYYYYMMDD-HHMMSS>/

Write metadata.json with:

{
  "repo_url": "\x3Curl>",
  "timestamp": "\x3CISO 8601>",
  "auditor": "Fenz.AI",
  "skill_name": "\x3Cname>",
  "skill_path": "\x3Cpath within repo>"
}

Step 3: Save Source Files

Copy all files from the skill directory (the directory containing SKILL.md and its subdirectories) into source/ within the output directory. Then clean up the temp clone directory.

Step 4: Analyze

Read references/audit-criteria.md for detailed rubrics. Evaluate each category:

4a. Effectiveness

Read the skill's SKILL.md and evaluate:

Description quality (WHAT + WHEN)
Trigger clarity and coverage
Workflow definition clarity
Examples for complex steps
Error handling guidance

Rate: Strong / Adequate / Weak

4b. Token Usage

Run the analysis script:

python3 scripts/analyze_tokens.py \x3Csource-dir>

Use the JSON output to assess:

SKILL.md line count
Progressive disclosure usage
Total token footprint
Category breakdown

Rate: Low / Medium / High

4c. Time Spending

Evaluate the workflow for:

Complexity and branching
Number of external tool calls
User interaction requirements
Scope clarity

Rate: Quick / Moderate / Extended

4d. Permissions

Check the skill for:

allowed-tools in frontmatter — what tools are requested?
Whether each tool is justified by the workflow
Destructive tool usage (Bash without restrictions, Write to system paths)
Network access scope
File system access scope

Flag any red flags. Rate: Minimal / Moderate / Broad

4e. Safety

Evaluate:

Does behavior match the description?
Network access patterns
File scope boundaries
Sensitive data handling
Input validation (especially for shell commands)

Rate: Low Risk / Medium Risk / High Risk

4f. Recommendations

Read references/skill-best-practices.md and check the skill against each item. Group findings by priority:

High: Safety, correctness, major effectiveness issues
Medium: Efficiency, maintainability issues
Low: Style and convention suggestions

Step 5: Generate Report

Read assets/audit-report-template.md and fill in all template fields with the analysis results. Save as audit-report.md in the output directory.

Include:

All six category ratings with detailed explanations
Specific evidence from the skill files for each finding
Concrete, actionable recommendations
Positive observations (what the skill does well)
File appendix with token estimates

Step 6: Log Everything

Maintain process-log.md in the output directory. Append each step as it completes:

## [YYYY-MM-DD HH:MM:SS] Step N: \x3Cstep name>
- Status: success/failed/skipped
- Details: \x3Cwhat happened>
- Errors: \x3Cif any>

Step 7: Generate Social Media Posts

Automatically generate posts from the audit report.

Run: python3 ../post-generator/scripts/extract_findings.py \x3Caudit-dir>/audit-report.md
Read ../post-generator/references/writing-guide-en.md and ../post-generator/assets/post-template-twitter-en.md
Generate 2-3 English post variations following the guide
Read ../post-generator/references/writing-guide-zh.md and ../post-generator/assets/post-template-twitter-zh.md
Generate 2-3 Chinese post variations (NOT translations — independently crafted)
Save posts-en.md and posts-zh.md in the audit output directory
Log post generation step to process-log.md

Quality rules:

Posts must sound human-written, not AI-generated
No banned phrases (see writing guides for anti-pattern lists)
Fenz.AI mentioned once, naturally, first post only
Max 2 hashtags, no emoji spam
English: professional/conversational; Chinese: direct/opinionated with full-width punctuation

安全使用建议

This skill mostly does what it says (clone a GitHub repo, inspect SKILL.md, estimate tokens, and produce a report), but there are a few actionable concerns to weigh before running it: - Runtime dependencies: The scripts assume git, bash, and python3 are available even though the skill metadata lists no required binaries. Run it in an environment where those tools are present and isolated. - Cloning arbitrary repos: The workflow clones whatever GitHub URL you provide and then reads/copies all files in the skill directory. That is expected for an auditor but means the process will see any secrets or large files in the repo. Only use with repos you trust, or run inside a restricted sandbox/container. - Cleanup: clone_and_extract.sh intentionally leaves the temp clone directory and prints its path; SKILL.md expects the agent to clean it up. Ensure the agent or you remove temporary clones to avoid leaving sensitive data on disk. - External paths: SKILL.md Step 7 references ../post-generator/* (scripts and reference files outside the skill). Confirm those sibling directories exist and are trustworthy before the agent opens or executes them; otherwise the agent may attempt to read or run files outside the skill and your intended workspace. - Shell handling: The clone script extracts the SKILL.md frontmatter name using grep/sed and inserts it directly into JSON output. Malformed or adversarial SKILL.md frontmatter could produce malformed output or confuse downstream parsers. Treat untrusted repos cautiously. Practical suggestions: - Run the auditor in an isolated container/VM and inspect the cloned repo before letting any automation parse or publish findings. - Manually verify the presence and contents of ../post-generator if you need social-post generation, or adapt the workflow to use an included post-generator implementation. - If you plan to allow the agent to run this autonomously, restrict the input set of repos (whitelist) or add explicit confirmation steps and explicit temp-dir cleanup commands. Given these mismatches and operational risks (but no evidence of deliberate misdirection or malicious code), the skill is classified as suspicious — review and harden the workflow before using it on untrusted repositories.

功能分析

Type: OpenClaw Skill Name: fenz-skill-auditor Version: 1.0.0 The skill bundle is a legitimate tool designed to audit other AI skills for safety, efficiency, and best practices. It uses a bash script (scripts/clone_and_extract.sh) to safely clone GitHub repositories and a Python script (scripts/analyze_tokens.py) to estimate token usage without executing untrusted code from the target repositories. While it references an external directory (../post-generator/) for social media post generation, its operations are transparent, well-documented, and lack any indicators of malicious intent or data exfiltration.

能力评估

ℹ Purpose & Capability

The skill claims to audit Claude skills from GitHub and generate bilingual social posts; the included scripts (clone_and_extract.sh and analyze_tokens.py) implement cloning and token analysis which is coherent with that purpose. However, the SKILL.md and scripts assume availability of git, bash, and python3 even though the skill declares no required binaries. Expectation mismatch: the skill should declare those runtime deps.

⚠ Instruction Scope

Instructions direct the agent to clone arbitrary GitHub repos and copy the entire skill directory into an audit output dir — reading all files in the repo (which is expected for an auditor but can include secrets). Step 7 references ../post-generator/* files and scripts outside the skill's directory (parent-sibling paths), which may not exist and would cause the agent to read or execute files outside the skill boundary. The clone script prints the temp repo path and leaves cleanup to the caller (trap message says cleanup is caller responsibility), so cloned repositories may remain on disk if the agent doesn't explicitly remove them.

✓ Install Mechanism

No external downloads or installs are used; this is instruction+script-only. The scripts are local and readable; no remote code fetches beyond git clone of user-specified repositories. This is lower-risk than arbitrary download/extract installers, but cloning arbitrary repos is an operation with expected but non-trivial risk.

ℹ Credentials

The skill requests no environment variables or credentials — appropriate for its stated purpose. Minor concern: scripts assume tools (git, python3) exist but those binaries are not declared as required; also the auditor will read every file in the cloned repo (which is consistent with auditing but increases chance of encountering secrets or large files).

ℹ Persistence & Privilege

always is false (no forced inclusion). The skill's scripts create a temp clone directory and the clone script explicitly leaves cleanup to the caller; if the agent doesn't remove it the repo contents may persist on disk. The skill does not request to modify other skills or system-wide configuration.

版本历史

v1.0.0

Initial release of skill-audit — an automated Claude skill audit tool for GitHub repositories. - Audits Claude skills for effectiveness, token usage, safety, permissions, and best-practice compliance. - Generates structured reports with category ratings, evidence, recommendations, and positive findings. - Automatically creates bilingual (English & Chinese) social media posts summarizing audit results. - Logs all audit steps and status for traceability. - Designed for easy integration into skill development workflows.

元数据

Slug fenz-skill-auditor

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

full scale openclaw skill auditor 是什么？

Audits Claude skills from GitHub repositories for effectiveness, token usage, safety, and best-practice compliance, then automatically generates bilingual so... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 293 次。

如何安装 full scale openclaw skill auditor？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install fenz-skill-auditor」即可一键安装，无需额外配置。

full scale openclaw skill auditor 是免费的吗？

是的，full scale openclaw skill auditor 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

full scale openclaw skill auditor 支持哪些平台？

full scale openclaw skill auditor 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 full scale openclaw skill auditor？

由 Dr. Ren（@yangran）开发并维护，当前版本 v1.0.0。

full scale openclaw skill auditor