← 返回 Skills 市场
OpenClaw Security Scanner
作者
michealxie001
· GitHub ↗
· v1.0.0
· MIT-0
128
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-secscan
功能描述
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice.
使用说明 (SKILL.md)
Security - Security Analysis
安全分析工具,扫描代码漏洞、检查依赖、提供修复建议。
Version: 1.0
Features: 漏洞扫描、依赖检查、密钥检测、安全建议
Quick Start
1. 扫描代码
# 扫描单个文件
python3 scripts/main.py scan --file src/main.py
# 扫描整个项目
python3 scripts/main.py scan --dir src/
2. 检查依赖
# 检查依赖漏洞
python3 scripts/main.py deps --requirements requirements.txt
# 检查 package.json
python3 scripts/main.py deps --package-json package.json
3. 检测密钥泄露
# 扫描密钥泄露
python3 scripts/main.py secrets --dir .
Commands
| 命令 | 说明 | 示例 |
|---|---|---|
scan |
安全扫描 | scan --file src.py |
deps |
依赖检查 | deps --requirements req.txt |
secrets |
密钥检测 | secrets --dir . |
安全扫描
$ python3 scripts/main.py scan --file src/auth.py
🔒 Security Scan Results
=========================
File: src/auth.py
Issues found: 2
🔴 Critical:
Line 34: Hardcoded password
password = "admin123" # ← Move to environment variable
CWE-798: Use of Hard-coded Credentials
🟡 Medium:
Line 67: SQL injection risk
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
CWE-89: SQL Injection
Fix: Use parameterized queries
✅ No secrets detected
依赖检查
$ python3 scripts/main.py deps --requirements requirements.txt
📦 Dependency Check
===================
Checked: 15 packages
Issues: 2
🔴 CVE-2023-1234: requests \x3C 2.31.0
Severity: High
Fix: pip install requests>=2.31.0
🟡 CVE-2023-5678: flask \x3C 2.3.0
Severity: Medium
Fix: pip install flask>=2.3.0
✅ All other dependencies up to date
密钥检测
$ python3 scripts/main.py secrets --dir .
🔑 Secret Detection
===================
Scanned: 45 files
Secrets found: 1
🔴 .env (line 3):
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Type: AWS Secret Access Key
Action: Move to secrets manager or environment variable
⚠️ Remember to rotate exposed credentials!
检测规则
代码漏洞
| 规则 | 严重度 | CWE |
|---|---|---|
| Hardcoded credentials | 🔴 Critical | CWE-798 |
| SQL injection | 🔴 Critical | CWE-89 |
| Command injection | 🔴 Critical | CWE-78 |
| Path traversal | 🔴 Critical | CWE-22 |
| Insecure crypto | 🟡 Medium | CWE-327 |
| Weak random | 🟡 Medium | CWE-338 |
| Debug mode enabled | 🟡 Medium | CWE-489 |
密钥模式
| 类型 | 检测 |
|---|---|
| API Keys | ✅ |
| AWS Credentials | ✅ |
| Database URLs | ✅ |
| Private Keys | ✅ |
| JWT Secrets | ✅ |
| Passwords in code | ✅ |
Configuration
.security.json:
{
"severity_threshold": "medium",
"ignore_paths": [
"tests/**",
"vendor/**"
],
"ignore_rules": [
"debug-mode-in-production"
],
"custom_patterns": {
"company_api_key": "COMPANY_[A-Z0-9]{32}"
}
}
CI/CD 集成
# .github/workflows/security.yml
name: Security Scan
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Code
run: python3 skills/security/scripts/main.py scan --dir src/
- name: Check Dependencies
run: python3 skills/security/scripts/main.py deps --requirements requirements.txt
- name: Detect Secrets
run: python3 skills/security/scripts/main.py secrets --dir .
Files
skills/security/
├── SKILL.md # 本文件
└── scripts/
├── main.py # ⭐ 统一入口
├── scanner.py # 漏洞扫描器
└── rules/ # 检测规则
├── python.yml
└── javascript.yml
Roadmap
- Basic vulnerability detection
- Secret detection
- Dependency checking
- SAST integration
- DAST support
安全使用建议
This skill appears to be a local security scanner and is internally consistent, but note the following before running it:
- Running the bundled script executes arbitrary Python included in the skill. If you do not fully trust the author, review scripts/main.py line-by-line (it was provided) before execution.
- The scanner will read and enumerate files in the target directory (rglob('*')), which is expected for secret detection but means it will touch many repository files and print findings to stdout. Do not run it in a context where printing secrets to logs is unsafe; prefer a sandbox or run locally in a controlled environment.
- The CI example path in SKILL.md (skills/security/scripts/main.py) doesn't match the provided file layout (scripts/main.py). Confirm paths if you integrate this into CI to avoid accidental execution of a different script.
- The tool itself does not make network calls or request credentials, but it suggests using external tools (safety, pip-audit). Use those tools from trusted sources if you follow that guidance.
If you want higher assurance: run the script in an isolated container, inspect the full main.py (and any referenced modules/rules) for unexpected behavior, and test on a non-sensitive repository first.
功能分析
Type: OpenClaw Skill
Name: openclaw-secscan
Version: 1.0.0
The skill bundle is a legitimate security analysis tool designed to perform static analysis on code for vulnerabilities and secrets. The primary logic in `scripts/main.py` uses the Python `ast` module and regular expressions to detect hardcoded credentials, SQL injection patterns, and dangerous function calls without executing the target code or exfiltrating data.
能力评估
Purpose & Capability
The name/description match the provided code and SKILL.md: the bundle includes a Python scanner (scripts/main.py) that implements scanning, dependency guidance, and secret detection. The requested resources (none) are proportional to a local scanner.
Instruction Scope
SKILL.md tells the agent to run the included Python script to scan files/directories and to integrate in CI. The instructions and script operate on local files (rglob over project files) which is expected for this purpose, but will enumerate/print secrets found to stdout. Minor mismatch: the CI example references skills/security/scripts/main.py while the distributed file path is scripts/main.py — this may be a packaging/path inconsistency to verify before use.
Install Mechanism
No install spec is provided and the skill is instruction-only with a bundled script. Nothing is downloaded or written by an installer; the only code executed is the included Python file.
Credentials
The skill requires no environment variables, credentials, or config paths. The scanner searches files for credentials (which is its purpose) but does not attempt to read unrelated environment variables or request external credentials.
Persistence & Privilege
The skill does not set always:true, does not claim to persist or modify other skills, and has no install-time hooks. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-secscan - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-secscan触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Security scanner for vulnerability detection and secret detection
元数据
常见问题
OpenClaw Security Scanner 是什么?
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 128 次。
如何安装 OpenClaw Security Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-secscan」即可一键安装,无需额外配置。
OpenClaw Security Scanner 是免费的吗?
是的,OpenClaw Security Scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
OpenClaw Security Scanner 支持哪些平台?
OpenClaw Security Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Security Scanner?
由 michealxie001(@michealxie001)开发并维护,当前版本 v1.0.0。
推荐 Skills