← 返回 Skills 市场
Security Skill Scanner
作者
digitaladaption
· GitHub ↗
· v0.1.0
2319
总下载
4
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-skills-security-checker
功能描述
Security scanner for ClawdHub skills - detects suspicious patterns, manages whitelists, and monitors Moltbook for security threats.
安全使用建议
Do not run or install this skill as-is. Before trusting it, obtain and review the referenced code (the repository or release artifact), confirm a secure install source (git tag or release on the project's homepage), and have someone with security knowledge audit the scripts for actions that alter shell profiles, create cron jobs, or intercept installs. If you must test, do so in an isolated VM or sandbox, and verify how the whitelist is managed (who can edit data/whitelist.json). Prefer an install spec that pins a known release and includes checksums or signatures; avoid adding the molthub wrapper or cron jobs until the code is reviewed and you understand uninstall/remediation steps.
功能分析
Type: OpenClaw Skill
Name: openclaw-skills-security-checker
Version: 0.1.0
The skill, described as a security scanner, proposes a deep integration by overriding the `molthub` command in the user's shell profile (`.bashrc` or `.zshrc`) via `SKILL.md`. This allows the `install-hook.py` script to intercept and potentially block the installation of other skills, granting it significant control over skill management. Additionally, it suggests adding cron jobs for persistence of its scanning and monitoring functions. While the stated intent is security, these broad permissions and high level of system control, particularly the `molthub` override, represent a significant attack surface if the underlying scripts were malicious or vulnerable.
能力评估
Purpose & Capability
The description and instructions describe a Python/Bash-based scanner, whitelist manager, Moltbook monitor, and install-hook that can block installs — all reasonable for a 'security scanner' — but the package contains no code files or install spec. The SKILL.md expects scripts at /root/clawd/skills/security-skill-scanner/* and a Python module import, yet no such files are bundled. The metadata also fails to declare required runtimes (python3, bash). This inconsistency (claims vs. actual package contents) is a red flag.
Instruction Scope
Runtime instructions direct the operator to execute specific scripts (skill-scanner.py, whitelist-manager.py, moltbook-monitor.sh, install-hook.py), read/write files under /root/clawd and /tmp, add cron jobs, and modify shell profiles to wrap the molthub command. Those actions can affect system behavior and intercept skill installations. Because the scripts are not included, following the instructions would either fail or require fetching/creating external code — increasing risk.
Install Mechanism
There is no install specification and no code files. The SKILL.md assumes local scripts already exist or must be placed at /root/clawd/skills/security-skill-scanner. The lack of an explicit, auditable install source (git repo clone, release tarball, package manager entry) means a user or agent would need to obtain code from an external/unknown source before the described functionality can run — a high-risk situation.
Credentials
The skill declares no environment variables or credentials, which is proportionate for a scanner. However, the instructions recommend writing to system locations (/root, /var/log, /tmp), modifying ~/.bashrc to intercept installs, and scheduling cron jobs — actions that grant ongoing influence over the environment despite no explicit credential requests. No secrets are requested, but the recommended changes increase the skill's effective reach.
Persistence & Privilege
Although the registry flags do not force persistence, the SKILL.md encourages persistent installations: cron jobs for periodic scans and a shell wrapper for molthub to run the install-hook on every install. Those manual steps would give the scanner long-lived control over the install flow and logs; recommending them without bundled, reviewable code is a significant privilege escalation and should be treated cautiously.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-skills-security-checker - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-skills-security-checker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial public release of Security Skill Scanner.
- Scans ClawdHub skills for suspicious patterns such as credential theft, command injection, and network exfiltration.
- Manages skill whitelists to reduce false positives and allow trusted skills.
- Monitors Moltbook for emerging security discussions and scam alerts.
- Generates and tracks permission manifests with Isnad chains.
- Provides daily automated scanning and reporting in both markdown and JSON formats.
- Includes pre-install hooks to automatically scan and block suspicious skills during installation, with force override option.
- Offers command-line scripts for scanning, whitelist management, and Moltbook monitoring.
元数据
常见问题
Security Skill Scanner 是什么?
Security scanner for ClawdHub skills - detects suspicious patterns, manages whitelists, and monitors Moltbook for security threats. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2319 次。
如何安装 Security Skill Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-skills-security-checker」即可一键安装,无需额外配置。
Security Skill Scanner 是免费的吗?
是的,Security Skill Scanner 完全免费(开源免费),可自由下载、安装和使用。
Security Skill Scanner 支持哪些平台?
Security Skill Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Skill Scanner?
由 digitaladaption(@digitaladaption)开发并维护,当前版本 v0.1.0。
推荐 Skills