← 返回 Skills 市场
Permission Creep Scanner
作者
andyxinweiminicloud
· GitHub ↗
· v1.0.0
524
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install permission-creep-scanner
功能描述
Helps detect permission creep in AI agent skills — flags when a skill's actual code accesses resources far beyond what its declared purpose requires, like a...
安全使用建议
This skill appears coherent and appropriate for auditing other skills. Before using it, avoid supplying real secrets or credentials as sample input (do not paste .env files or live API keys). If you provide a URL for the skill to fetch, treat that like running an untrusted network resource: only give URLs you trust. If you need higher assurance, run the scanner in an isolated environment or review its output manually rather than letting it autonomously fetch or process data.
功能分析
Type: OpenClaw Skill
Name: permission-creep-scanner
Version: 1.0.0
This skill is a 'permission-creep-scanner' designed to detect malicious behavior and over-permissioning in other AI agent skills. The `SKILL.md` file clearly outlines its purpose, the types of security risks it identifies (e.g., sensitive file access, environment variable exfiltration, network calls with API keys, shell access), and provides an example of a malicious skill that it would flag. There is no evidence of malicious intent or prompt injection within the skill's own description or metadata; instead, it serves as a security analysis tool.
能力评估
Purpose & Capability
The skill claims to analyze source code for permission mismatches. Requiring python3 (for analysis) and curl (to fetch an EvoMap/asset URL) is reasonable and proportionate to that purpose; no unrelated environment variables, credentials, or config paths are requested.
Instruction Scope
SKILL.md describes static analysis of provided source (capsule JSON, raw source, or asset URL) and shows expected outputs. It does not instruct the agent to read the host's filesystem or environment beyond fetching provided inputs. The guidance is limited to analyzing the supplied code and reporting mismatches.
Install Mechanism
There is no install spec (instruction-only), so nothing will be written to disk. This is the lowest-risk install model and aligns with the skill's description.
Credentials
The skill declares no required env vars or credentials. The lack of secrets or unrelated config access is proportionate to a static-analysis tool.
Persistence & Privilege
The skill is not forced-always, does not request persistent presence, and defaults for autonomous invocation are unchanged. There is no evidence it modifies other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install permission-creep-scanner - 安装完成后,直接呼叫该 Skill 的名称或使用
/permission-creep-scanner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — scans AI agent skills for permission creep.
- Analyzes skill code to identify resource access (files, environment variables, network, subprocess).
- Extracts declared purpose from skill metadata and compares it to actual code behavior.
- Flags permission mismatches, sensitive path access, and escalation patterns.
- Provides structured audit output: declared scope, access list, mismatches, risk rating, and recommendations.
元数据
常见问题
Permission Creep Scanner 是什么?
Helps detect permission creep in AI agent skills — flags when a skill's actual code accesses resources far beyond what its declared purpose requires, like a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 524 次。
如何安装 Permission Creep Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install permission-creep-scanner」即可一键安装,无需额外配置。
Permission Creep Scanner 是免费的吗?
是的,Permission Creep Scanner 完全免费(开源免费),可自由下载、安装和使用。
Permission Creep Scanner 支持哪些平台?
Permission Creep Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Permission Creep Scanner?
由 andyxinweiminicloud(@andyxinweiminicloud)开发并维护,当前版本 v1.0.0。
推荐 Skills