← 返回 Skills 市场

Klemenska Security Auditor

Name: Klemenska Security Auditor
Author: klemenska

作者 klemenska · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

107

总下载

当前安装

版本数

在 OpenClaw 中安装

/install klemenska-security-auditor

功能描述

Scan and audit installed skills for security risks, suspicious patterns, and permission overreach. Use when: (1) before installing a new skill; (2) periodica...

使用说明 (SKILL.md)

Security Auditor

Audit skills for security risks before installing or using them.

Purpose

Skills can request permissions and access that may be:

Overreaching (accessing data they shouldn't need)
Suspicious (behaving oddly, phoning home, etc.)
Outdated (known vulnerabilities in dependencies)

This skill helps you audit them.

When to Run

Trigger	Action
Before installing a new skill	Full audit
Periodic review	Quick scan of installed skills
Suspicious behavior	Deep analysis
Permission review	Check requested permissions

Audit Workflow

Step 1: Quick Scan

python3 scripts/audit.py --scan

Checks:

File access patterns
Network access requests
Suspicious API usage
Permission requests

Step 2: Detailed Audit

python3 scripts/audit.py --audit \x3Cskill-path>

Performs deep analysis:

Code pattern analysis
Dependency checking
Permission mapping
Risk scoring

Step 3: Generate Report

python3 scripts/audit.py --report \x3Cskill-path> --output report.md

Creates detailed security report.

Step 4: Compare Skills

python3 scripts/audit.py --compare \x3Cskill1-path> \x3Cskill2-path>

Compare security posture of two skills.

Risk Levels

Level	Meaning	Action
🟢 LOW	Minimal risk, standard permissions	Safe to install
🟡 MEDIUM	Some overreach, review recommended	Read code before install
🔴 HIGH	Significant risks, careful review required	Do not install without review
⛔ CRITICAL	Dangerous patterns detected	Do not install

Red Flags to Watch For

File Access

Accessing ~/.ssh/ or ~/.aws/
Reading *password*, *secret*, *key* files
Writing to system directories
Accessing other users' directories

Network

Exfiltrating data to unknown servers
DNS rebinding patterns
Encrypted payloads to unfamiliar domains

Permissions

Requesting exec with no scope limitation
Reading memory or process info
Keylogging or screenshot capabilities
Accessing other installed skills' data

Code Patterns

Obfuscated code
Dynamic code generation
Shell commands without sanitization
Credential harvesting patterns

Files

scripts/audit.py — Main audit script
scripts/scan_skill.py — Skill-specific scanner
references/rules.md — Security rules and patterns
references/permissions.md — Permission reference guide

安全使用建议

This auditor generally does what it promises (scans skill files and produces reports) but I found design choices that could be abused to hide malicious code. Before you rely on its output: (1) review the auditor's own code yourself or have a trusted reviewer check it — pay special attention to files named with 'scan' or 'audit' because the scanner intentionally suppresses many flags for such filenames; (2) run the auditor in an isolated sandbox or ephemeral container that cannot access secrets (SSH keys, ~/.aws/, etc.) to avoid accidental disclosure; (3) test the auditor against known safe and malicious samples to confirm it detects the patterns you care about; (4) do not grant this tool network or broader system permissions without additional review. If you want, I can list the exact lines/locations in the included scripts that implement the filename-based suppression and the self-skip logic so you can inspect or patch them.

功能分析

Type: OpenClaw Skill Name: klemenska-security-auditor Version: 1.0.0 The skill is a security auditing tool designed to scan other OpenClaw skills for risky patterns such as credential access, shell execution, and hardcoded secrets. The implementation in scripts/audit.py and scripts/scan_skill.py uses static analysis (regex and string matching) to identify potential vulnerabilities without executing the target code. The documentation and instructions in SKILL.md are consistent with the tool's stated purpose, and no evidence of data exfiltration, malicious execution, or prompt injection was found.

能力评估

ℹ Purpose & Capability

The name/description align with the included scripts: audit.py and scan_skill.py implement scanning of installed skills, permission extraction, and report generation. No unrelated credentials, binaries, or installs are requested. However some scanner behaviours (see instruction_scope) are disproportionate or risky for a trustworthy auditor.

⚠ Instruction Scope

SKILL.md instructs running the included Python scripts which recursively read skill directories (default ~/.openclaw/workspace/skills). The scripts scan files for dangerous patterns and can generate reports. Concerning behaviours: audit/scan scripts intentionally skip or suppress many pattern flags when the filename contains 'audit' or 'scan', and audit_skill explicitly skips 'self-audit' for the security-auditor. These exceptions create an evasion surface where a malicious skill could name files to avoid detection or put malicious code inside similarly named files.

✓ Install Mechanism

There is no install spec and no downloads — the skill is instruction + included Python scripts. That reduces supply-chain risk compared with remote installs.

✓ Credentials

The skill requires no environment variables or credentials and only needs filesystem read access to the skills directory it audits. That access is appropriate for an auditor. It does not attempt network exfiltration in the provided code.

✓ Persistence & Privilege

always:false and no special privileges are requested. The scripts read user skill files and produce reports; they do not modify other skills or system configurations. This is proportionate to an audit tool.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install klemenska-security-auditor
安装完成后，直接呼叫该 Skill 的名称或使用 /klemenska-security-auditor 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of Security Auditor skill. - Scan and audit installed skills for security risks, permission overreach, and suspicious behavior. - Supports quick scans, detailed audits, report generation, and side-by-side skill comparison. - Identifies risk levels (LOW, MEDIUM, HIGH, CRITICAL) with recommendations for each. - Highlights major security red flags: file/network access, suspicious permissions, and risky code patterns. - Includes scripts and reference files for flexible, in-depth security analysis.

元数据

Slug klemenska-security-auditor

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题