← 返回 Skills 市场
800
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-action
功能描述
GitHub Action for automated security scanning of agent workspaces. Detects exposed secrets, prompt/shell injection, and data exfiltration patterns in PRs and commits.
安全使用建议
This action performs the advertised scans, but it contradicts its own trust claims: instead of running only local, auditable code, action.yml downloads and executes scanner scripts from GitHub at runtime (raw URLs on the main branches). That creates a supply-chain risk because those remote files can change or be compromised.
Before installing or using this Action, consider:
- Prefer vendored or pinned scanner code: vendor the scanner scripts into the action repository or fetch scripts pinned to a specific commit SHA or release tag instead of raw 'main' URLs.
- Review the exact remote files to be executed (the three raw.githubusercontent.com URLs) and verify the upstream maintainers and commit SHAs. If you cannot verify, do not allow the action to run with elevated access.
- Treat this action as having the ability to execute arbitrary Python fetched at runtime: ensure it runs with least privilege in your CI, and avoid exposing secrets to runs triggered by untrusted forks or contributors.
- If you need stronger assurance, replace the runtime curl step with code checked into your organization (or use a verified marketplace action), or require that the scanner code is included in the repo under review so behavior is fully auditable.
If you accept the current design, at minimum ask the publisher to pin downloads to immutables (commit SHAs/releases) and update the README to remove the false 'No network calls' claim. If you cannot confirm the upstream repositories are trustworthy, treat the action as risky and avoid installing it.
功能分析
Type: OpenClaw Skill
Name: openclaw-action
Version: 1.0.0
The skill bundle is classified as suspicious due to a significant supply chain vulnerability. The `action.yml` file uses `curl -sL` to download and execute Python scanner scripts (sentry.py, bastion.py, egress.py) directly from `raw.githubusercontent.com` on the `main` branch of external repositories (e.g., `https://raw.githubusercontent.com/AtlasPA/openclaw-sentry/main/scripts/sentry.py`). This practice lacks version pinning or integrity checks, making the action highly susceptible to compromise if any of the upstream repositories are maliciously modified. While the stated purpose and the orchestrating `scripts/scan.py` appear benign, this unverified external code execution introduces a critical risk, allowing potential future malice without direct evidence of intentional self-exploitation within this bundle.
能力评估
Purpose & Capability
Name/description match the code: it is a GitHub Action that scans workspaces for secrets, injection, and egress patterns and only requires python3. However the README and SKILL.md assert 'No network calls' and 'No dependencies' while action.yml downloads scanner scripts at runtime via curl from raw.githubusercontent.com. Fetching remote scanner code is not necessary to describe the action's purpose and is inconsistent with the claimed 'auditable, local-only' trust model.
Instruction Scope
SKILL.md and README instruct how to add the Action and state scanners run locally and are auditable. The actual runtime instructions (action.yml + scripts/scan.py) download external Python scanner scripts and then execute them. That means the action's runtime behavior extends beyond the local repo content the README promises: it executes code retrieved over the network, which can change between runs and may alter scanning behavior or exfiltrate data.
Install Mechanism
There is no installer, but action.yml explicitly uses curl to download three scripts from raw.githubusercontent.com at runtime. raw.githubusercontent.com is a well-known host (GitHub), which is better than arbitrary servers, but downloading and executing raw scripts from the network on each run is higher-risk than vendoring/pinning code. The downloads are not pinned to commit SHAs or releases (they use main branch URLs), increasing supply-chain fragility.
Credentials
The skill does not request extra credentials or unrelated environment variables. It uses standard GitHub Actions runner env vars (GITHUB_OUTPUT, GITHUB_STEP_SUMMARY) and accepts workspace and scan toggles via inputs. No SECRET/TOKEN env vars are required by the skill itself.
Persistence & Privilege
always is false; the skill does not request permanent agent presence or attempt to modify other skills. It writes only Action outputs and a job summary, and does not persist data beyond the run. The main privilege concern is runtime execution of downloaded code, not persistent elevated privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-action - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-action触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of openclaw-action: automated security scanning GitHub Action.
- Scans agent workspaces for exposed secrets, injection, and data exfiltration patterns on PRs and commits.
- Detects API keys, tokens, credentials, prompt/shell injections, and suspicious network calls using sentry, bastion, and egress scanners.
- Provides configurable inputs for scan scope and failure conditions (`fail-on-findings`).
- Outputs finding counts and critical issue flags for CI integration.
- Action is alert-only—does not modify code or files.
元数据
常见问题
Openclaw Action 是什么?
GitHub Action for automated security scanning of agent workspaces. Detects exposed secrets, prompt/shell injection, and data exfiltration patterns in PRs and commits. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 800 次。
如何安装 Openclaw Action?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-action」即可一键安装,无需额外配置。
Openclaw Action 是免费的吗?
是的,Openclaw Action 完全免费(开源免费),可自由下载、安装和使用。
Openclaw Action 支持哪些平台?
Openclaw Action 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。
谁开发了 Openclaw Action?
由 AtlasPA(@atlaspa)开发并维护,当前版本 v1.0.0。
推荐 Skills