← 返回 Skills 市场
gawezepobi09-debug

Security Check

作者 nullweave · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
374
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install pre-install-security-check
功能描述
🔒 Pre-installation security verification for external code and dependencies. Automated risk analysis for GitHub repos, npm packages, PyPI libraries, and she...
安全使用建议
What to check before installing: 1) Clarify credentials: ask the author whether SNYK and/or a GitHub token are required, and if so where/how tokens are expected to be provided. The skill references Snyk and authenticated advisory endpoints but declares no required env vars—this should be explicit. 2) Confirm auto-install behavior: the skill's docs say 'auto-proceed' for items scored Safe. If you want manual control, verify configuration to disable auto-install, or require explicit confirmations for all installs. 3) Rate limits & failover: understand how the skill handles API rate limits and outages (the SKILL.md mentions caching and rate limiting as best practices but does not declare defaults). Without auth tokens GitHub rate limits are low and could cause failures. 4) Inspect files for obfuscated content: the scanner flagged a base64 block (from an SVG badge). Review all repository files for any other embedded/encoded content (base64, long data blocks) to ensure nothing hidden is executing or being used to inject prompts. 5) Test in a safe environment: run the skill in an isolated VM or sandbox and observe logs/behavior before letting it auto-install packages on your primary system. 6) Ask for an implementation or code: this skill is instruction-only in the package you provided. If the platform will run agent code based on these instructions, request the actual implementation code (how it executes checks and installs) so you can audit exact commands the agent will run. If you want, I can draft specific questions to ask the skill author (about tokens, auto-proceed defaults, logging, and sandboxing) or produce a short checklist to validate the implementation before trusting automatic installs.
功能分析
Type: OpenClaw Skill Name: pre-install-security-check Version: 1.0.1 The 'pre-install-security-check' skill is a defensive tool designed to automate risk assessment for external code and dependencies (GitHub, npm, PyPI) before installation. It implements a transparent risk-scoring logic based on repository metrics and known vulnerability databases (GitHub Advisory, Snyk, OSV) and includes explicit guardrails to ensure user confirmation for risky packages. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the skill's behavior is entirely consistent with its stated security purpose.
能力评估
Purpose & Capability
The name/description and SKILL.md consistently describe a pre-install security scanner for GitHub, PyPI, npm, and direct URLs; the listed integration endpoints (GitHub API, PyPI JSON, npm registry, OSV, GitHub Advisory) are appropriate and expected for that purpose. One minor mismatch: the skill references Snyk (which requires an API token for full API access) but the registry metadata declares no required credentials or primaryEnv—this is plausible (the skill can rely on OSV/GitHub/unauthed endpoints), but it is an unexplained omission that should be clarified.
Instruction Scope
SKILL.md stays within the stated scope: detect install commands (git clone / pip install / npm install / curl | bash), fetch metadata from registries and advisories, compute a risk score, and ask for confirmation. It does instruct auto-proceed for 'Safe' results (auto-install), which is coherent with the feature but increases operational risk because it implies the skill will execute install commands on the user's behalf. The instructions do not ask the agent to read unrelated system files or exfiltrate environment variables.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to run on install, which is the lowest-risk install mechanism. No external archives, custom binaries, or obscure download URLs are present.
Credentials
The skill references external services (Snyk, possibly GitHub Advisory API with higher rate limits) that commonly require API tokens, but the skill metadata declares no required environment variables or primary credential. This is a proportionality gap: if the implementation uses Snyk/GitHub authenticated endpoints it will require tokens, but those aren't declared. Also, auto-proceeding with installs means the skill may execute commands that could access local resources; users should confirm whether the skill will run commands only after local confirmation and whether it will store or require any tokens.
Persistence & Privilege
The skill does not request permanent inclusion (always: false), and does not declare changes to other skills or system-wide settings. Autonomous invocation is allowed (default) but that is expected for skills that monitor commands; combined with the auto-proceed behavior this increases the impact if misconfigured, but there is no explicit excessive privilege requested in the metadata.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install pre-install-security-check
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /pre-install-security-check 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Improved SKILL.md metadata with tags and a clearer description highlighting key features and integrations. - Added a new README.md file. - Updated main description to emphasize first-class OpenClaw integration and CVE database support. - No changes to risk analysis logic or security procedures.
v1.0.0
- Initial release of the security-check skill: automated verification before installing dependencies, cloning repositories, or running external code. - Evaluates risk using metrics like downloads, repository activity, known vulnerabilities, license, and maintainer reputation. - Assigns risk level: ✅ Safe (proceed), ⚠️ Review (show summary/ask), ❌ Dangerous (strong warning/manual approval). - Integrates with GitHub, PyPI, npm APIs, and vulnerability databases for up-to-date analysis. - Logs all decisions, requires user confirmation for risky installs, and never auto-installs flagged packages.
元数据
Slug pre-install-security-check
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Security Check 是什么?

🔒 Pre-installation security verification for external code and dependencies. Automated risk analysis for GitHub repos, npm packages, PyPI libraries, and she... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 374 次。

如何安装 Security Check?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pre-install-security-check」即可一键安装,无需额外配置。

Security Check 是免费的吗?

是的,Security Check 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Security Check 支持哪些平台?

Security Check 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Security Check?

由 nullweave(@gawezepobi09-debug)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论