← 返回 Skills 市场
胖叔 Skill 安全审查
作者
hjshysst-dot
· GitHub ↗
· v1.0.0
· MIT-0
98
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pangshu-skill-vetter
功能描述
Security vetting for agent skills before installation. Scans skill code for dangerous Bash commands, sensitive file access, network exfiltration, obfuscated...
安全使用建议
This skill appears to do what it says: a local pattern-based scanner implemented in Python. Before installing or enabling automatic pre-install hooks: 1) Review the vetter code yourself (it's included) to confirm the pattern rules meet your needs. 2) Be aware it is a heuristic scanner — it can produce false positives and false negatives and can be evaded by obfuscation or placing payloads in skipped paths (e.g., node_modules or markdown outside fenced code blocks). 3) Only enable automatic pre-install invocation (hooks) with admin oversight; restrict the hook configuration so the vetter runs in a sandboxed environment with access only to the incoming skill directory. 4) Consider complementing this tool with manual review or more robust static analysis, and do not assume a clean vetter report guarantees safety. If you want higher assurance, ask the author for test cases demonstrating detection of common evasion techniques or request addition of configurable scan scopes and reporting (no external uploads).
功能分析
Type: OpenClaw Skill
Name: pangshu-skill-vetter
Version: 1.0.0
The skill is a security scanner designed to perform static analysis on other OpenClaw skills to identify potential risks before installation. The implementation in `scripts/vetter.py` uses regex patterns to detect dangerous Bash commands, sensitive file access, and obfuscation, which aligns perfectly with the instructions in `SKILL.md`. No evidence of data exfiltration, malicious execution, or unauthorized persistence was found.
能力评估
Purpose & Capability
Name/description (a pre-install vetter) match the included artifact (scripts/vetter.py) and SKILL.md. The skill requires no env vars, binaries, or external services, which is appropriate for a local static scanner. The SKILL.md's claim that the vetter can be invoked automatically via OpenClaw hooks is an integration suggestion rather than an implicit platform entitlement; the registry metadata does not force automatic inclusion.
Instruction Scope
Runtime instructions tell the agent to run the bundled Python script against a skill directory. The scanner reads files under the provided skill_path and reports pattern matches — this is expected. Minor caveats: the scanner skips non-code markdown outside fenced code blocks and skips certain directories (node_modules, .git, __pycache__, .venv), which could allow malicious payloads to hide in skipped locations or plain text. The SKILL.md suggests auto-hooking; enabling that requires administrator configuration.
Install Mechanism
No install spec is present (instruction-only with one local script). Nothing is downloaded or written to system locations by the skill itself. This is the lowest-risk install profile.
Credentials
The skill requests no environment variables, credentials, or config paths. The internal scanner looks for mentions of credentials (e.g., .env, ~/.aws) but does not itself access external secrets or require credentials — this is proportionate to its stated purpose.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system settings. It can be configured to run as a pre-install hook, but that integration is opt-in and requires administrator configuration; the skill itself does not force persistent or privileged presence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pangshu-skill-vetter - 安装完成后,直接呼叫该 Skill 的名称或使用
/pangshu-skill-vetter触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of skill-vetter to automatically scan agent skills for security risks before installation or update.
- Detects and blocks skills containing critical threats such as disk wipes, fork bombs, and SSH key abuse.
- Warns on suspicious behaviors like unsafe file operations, network exfiltration, or obfuscated code.
- Generates a detailed vetting report with severity-based verdicts (block, warn, or allow).
- Integrates with OpenClaw via pre-install hooks and supports manual scans via CLI.
元数据
常见问题
胖叔 Skill 安全审查 是什么?
Security vetting for agent skills before installation. Scans skill code for dangerous Bash commands, sensitive file access, network exfiltration, obfuscated... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 98 次。
如何安装 胖叔 Skill 安全审查?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pangshu-skill-vetter」即可一键安装,无需额外配置。
胖叔 Skill 安全审查 是免费的吗?
是的,胖叔 Skill 安全审查 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
胖叔 Skill 安全审查 支持哪些平台?
胖叔 Skill 安全审查 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 胖叔 Skill 安全审查?
由 hjshysst-dot(@hjshysst-dot)开发并维护,当前版本 v1.0.0。
推荐 Skills