← 返回 Skills 市场
my-test-skill
作者
jinxiaotian1
· GitHub ↗
· v0.0.1
· MIT-0
285
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install my-test-skill
功能描述
Intelligent code security scanner with hybrid local-cloud detection. Fingerprints packages, runs static behavioral analysis, and consults cloud threat intell...
安全使用建议
This skill appears to implement a legitimate hybrid local/cloud scanner, but take these precautions before installing: 1) Verify publisher identity and that the registry package name matches the SKILL.md branding (my-test-skill vs yidun-skill-sec). 2) Understand cloud mode will POST fingerprints, behavior tags, and extracted code snippets to https://as.dun.163.com (NetEase Yidun); if those metadata or snippets could be sensitive, disable cloud mode (YIDUN_SKILL_SEC_CLOUD=false) or avoid using the skill. 3) Confirm you trust the external operator and your organization’s policies about sending package data abroad. 4) If you need stronger assurance, request a signed release, a canonical source (GitHub repo/release), or an audited implementation rather than relying on SKILL.md prose alone.
功能分析
Type: OpenClaw Skill
Name: my-test-skill
Version: 0.0.1
The skill is a security scanner that performs data exfiltration by design, sending file hashes, behavior tags, and code snippets ('evidence artifacts') to a remote endpoint (as.dun.163.com) for analysis. While the documentation (SKILL.md, README.md) claims to redact sensitive values, the transmission of local code context, file paths, and metadata to a third-party service constitutes a significant privacy and security risk. The behavior is aligned with the stated purpose of 'hybrid cloud detection,' but the inherent risk of sending code fragments to an external domain makes it suspicious.
能力评估
Purpose & Capability
The SKILL.md and README implement exactly what the description promises: local fingerprinting and static analysis plus an optional cloud intelligence POST to as.dun.163.com. Required binaries (curl, jq, openssl) are appropriate. However, the registry metadata lists the skill as 'my-test-skill' while the SKILL.md/README identify the package as 'yidun-skill-sec' / 'YidunClawSec' (branding mismatch), which is an incoherence worth verifying with the publisher.
Instruction Scope
Instructions explicitly compute file-level hashes, extract code snippets that triggered detections, build a fingerprint manifest, and upload fingerprint/behavior tags/evidence to a remote endpoint. Uploading extracted code snippets (even if partial) to an external service is within the stated purpose (cloud analysis) but is a privacy/data-exfiltration risk that should be acknowledged. The SKILL.md also references source metadata (install_url, author data) that implies additional registry queries or metadata collection outside the package; those network actions are not declared in the registry metadata but are consistent with the scanner's needs.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or installed by the skill package itself. This minimizes install-time risk. The only runtime network activity described is to the cloud analysis endpoint, which is implemented via curl (declared).
Credentials
No required secrets or privileged env vars are listed. Two optional env vars are declared (YIDUN_SKILL_SEC_CLOUD to toggle cloud, and YIDUN_SKILL_SEC_TRUSTED_REGISTRIES) which are proportionate. Still, because the skill will send fingerprints and extracted snippets to an external endpoint, users should consider whether that data is acceptable to disclose to the named operator (NetEase Yidun) before enabling cloud mode.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges or modification of other skills. Autonomous invocation is allowed by default but that is the platform norm and not by itself a red flag here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install my-test-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/my-test-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.1
my-test-skill v0.0.1
- Initial release of an intelligent code security scanner with hybrid local-cloud detection.
- Performs package fingerprinting, static behavioral analysis, and cloud-based threat intelligence lookups (enabled by default, configurable).
- Provides a quantified safety score and severity tags based on code behaviors and source trust.
- Defaults to strong privacy safeguards: only non-sensitive metadata is uploaded for cloud analysis.
- Supports trusted registry allowlisting and customizable environment settings.
元数据
常见问题
my-test-skill 是什么?
Intelligent code security scanner with hybrid local-cloud detection. Fingerprints packages, runs static behavioral analysis, and consults cloud threat intell... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 285 次。
如何安装 my-test-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install my-test-skill」即可一键安装,无需额外配置。
my-test-skill 是免费的吗?
是的,my-test-skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
my-test-skill 支持哪些平台?
my-test-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin, win32)。
谁开发了 my-test-skill?
由 jinxiaotian1(@jinxiaotian1)开发并维护,当前版本 v0.0.1。
推荐 Skills