← 返回 Skills 市场
OpenClaw Security Analysis
作者
michealxie001
· GitHub ↗
· v1.1.0
· MIT-0
123
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install oc-security
功能描述
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice.
使用说明 (SKILL.md)
Security - Security Analysis
安全分析工具,扫描代码漏洞、检查依赖、提供修复建议。
Version: 1.1
Features: 漏洞扫描、依赖检查、密钥检测、安全建议、C/C++ 支持 (NEW)
Quick Start
1. 扫描代码
# 扫描单个文件
python3 scripts/main.py scan --file src/main.py
# 扫描整个项目
python3 scripts/main.py scan --dir src/
2. 检查依赖
# 检查依赖漏洞
python3 scripts/main.py deps --requirements requirements.txt
# 检查 package.json
python3 scripts/main.py deps --package-json package.json
3. 检测密钥泄露
# 扫描密钥泄露
python3 scripts/main.py secrets --dir .
Commands
| 命令 | 说明 | 示例 |
|---|---|---|
scan |
安全扫描 | scan --file src.py |
deps |
依赖检查 | deps --requirements req.txt |
secrets |
密钥检测 | secrets --dir . |
安全扫描
$ python3 scripts/main.py scan --file src/auth.py
🔒 Security Scan Results
=========================
File: src/auth.py
Issues found: 2
🔴 Critical:
Line 34: Hardcoded password
password = "admin123" # ← Move to environment variable
CWE-798: Use of Hard-coded Credentials
🟡 Medium:
Line 67: SQL injection risk
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
CWE-89: SQL Injection
Fix: Use parameterized queries
✅ No secrets detected
依赖检查
$ python3 scripts/main.py deps --requirements requirements.txt
📦 Dependency Check
===================
Checked: 15 packages
Issues: 2
🔴 CVE-2023-1234: requests \x3C 2.31.0
Severity: High
Fix: pip install requests>=2.31.0
🟡 CVE-2023-5678: flask \x3C 2.3.0
Severity: Medium
Fix: pip install flask>=2.3.0
✅ All other dependencies up to date
密钥检测
$ python3 scripts/main.py secrets --dir .
🔑 Secret Detection
===================
Scanned: 45 files
Secrets found: 1
🔴 .env (line 3):
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Type: AWS Secret Access Key
Action: Move to secrets manager or environment variable
⚠️ Remember to rotate exposed credentials!
检测规则
代码漏洞
| 规则 | 严重度 | CWE |
|---|---|---|
| Hardcoded credentials | 🔴 Critical | CWE-798 |
| SQL injection | 🔴 Critical | CWE-89 |
| Command injection | 🔴 Critical | CWE-78 |
| Path traversal | 🔴 Critical | CWE-22 |
| Insecure crypto | 🟡 Medium | CWE-327 |
| Weak random | 🟡 Medium | CWE-338 |
| Debug mode enabled | 🟡 Medium | CWE-489 |
密钥模式
| 类型 | 检测 |
|---|---|
| API Keys | ✅ |
| AWS Credentials | ✅ |
| Database URLs | ✅ |
| Private Keys | ✅ |
| JWT Secrets | ✅ |
| Passwords in code | ✅ |
Configuration
.security.json:
{
"severity_threshold": "medium",
"ignore_paths": [
"tests/**",
"vendor/**"
],
"ignore_rules": [
"debug-mode-in-production"
],
"custom_patterns": {
"company_api_key": "COMPANY_[A-Z0-9]{32}"
}
}
CI/CD 集成
# .github/workflows/security.yml
name: Security Scan
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Code
run: python3 skills/security/scripts/main.py scan --dir src/
- name: Check Dependencies
run: python3 skills/security/scripts/main.py deps --requirements requirements.txt
- name: Detect Secrets
run: python3 skills/security/scripts/main.py secrets --dir .
Files
skills/security/
├── SKILL.md # 本文件
└── scripts/
├── main.py # ⭐ 统一入口
├── scanner.py # 漏洞扫描器
└── rules/ # 检测规则
├── python.yml
└── javascript.yml
Roadmap
- Basic vulnerability detection
- Secret detection
- Dependency checking
- SAST integration
- DAST support
安全使用建议
This skill appears to do what it says: local static scans, dependency checks, and secret detection. Before installing or running it on sensitive repositories: 1) Review the full scripts/main.py (the provided snippet was truncated) to confirm there are no network calls or exfiltration paths. 2) Note the tool will read project files (including .env) to find secrets—run it in a safe/test environment if you are worried about exposing keys. 3) The code will optionally import a 'c-support' library from a relative parent path if present; ensure you trust any c-support/ code in your repo because it would be executed. 4) The SKILL.md references other files (scanner.py, rules/) that are not bundled—confirm you have the intended rule set if you expect C/C++ scanning. If you want higher assurance, run the script in an isolated environment and inspect the remainder of the code for network or subprocess usage before granting it broad autonomous access.
功能分析
Type: OpenClaw Skill
Name: oc-security
Version: 1.1.0
The skill bundle provides a legitimate security analysis tool for Python and C/C++ code, performing static analysis to detect vulnerabilities (SQL injection, command injection), hardcoded secrets, and insecure configurations. The implementation in `scripts/main.py` uses standard Python libraries like `ast` and `re` for scanning and does not contain any evidence of data exfiltration, malicious execution, or prompt injection.
能力评估
Purpose & Capability
The SKILL.md description (vulnerability scanning, dependency checks, secret detection) aligns with the included scripts/main.py functionality. The README mentions additional files (scanner.py, rules/) that are not present in the bundle—this is a documentation mismatch but not evidence of malicious intent. The code also attempts to import an optional 'c-support' library from a relative parent path to add C/C++ scanning; this is plausible for C support but means the tool may execute code from a repo-level c-support/ directory if present.
Instruction Scope
Runtime instructions are narrowly scoped to scanning files, directories, and dependency manifests (requirements.txt, package.json) and to CI integration steps. The SKILL.md explicitly instructs scanning project files and .env files for secrets, which is appropriate for a secret-detection tool. There are no instructions to read or transmit unrelated system state or credentials beyond the target codebase.
Install Mechanism
No install spec is provided; this is an instruction-only skill with an included Python script. Nothing in the package downloads or extracts external code by default.
Credentials
The skill declares no required environment variables or credentials. The code contains regexes to detect many secret types (AWS keys, OpenAI keys, GitHub tokens) but does not itself require those credentials to run. No unrelated credential access is requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request elevated privileges or attempt to modify other skills or global agent configuration in the provided files.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install oc-security - 安装完成后,直接呼叫该 Skill 的名称或使用
/oc-security触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Added C/C++ support: CWE detection, unsafe functions, buffer overflow, format string vulnerabilities
元数据
常见问题
OpenClaw Security Analysis 是什么?
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 123 次。
如何安装 OpenClaw Security Analysis?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install oc-security」即可一键安装,无需额外配置。
OpenClaw Security Analysis 是免费的吗?
是的,OpenClaw Security Analysis 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
OpenClaw Security Analysis 支持哪些平台?
OpenClaw Security Analysis 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Security Analysis?
由 michealxie001(@michealxie001)开发并维护,当前版本 v1.1.0。
推荐 Skills